Loading ...

Play interactive tourEdit tour

Analysis Report RCS76393.exe

Overview

General Information

Sample Name:RCS76393.exe
Analysis ID:383936
MD5:1ab1c3129fa0764ea0702da70f3ef569
SHA1:ee8cd1946b58390f4599056df1472d01cf85a543
SHA256:5d1870672eff4e2ec6d699d654d5268051f7a56f8ca991fefa538eeef380a89c
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RCS76393.exe (PID: 6500 cmdline: 'C:\Users\user\Desktop\RCS76393.exe' MD5: 1AB1C3129FA0764EA0702DA70F3EF569)
    • RCS76393.exe (PID: 6544 cmdline: 'C:\Users\user\Desktop\RCS76393.exe' MD5: 1AB1C3129FA0764EA0702DA70F3EF569)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\RCS76393.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.batiktintaemas.com/goei/"], "decoy": ["bet365o2.com", "gulf-landlord.info", "foodsystemsjusticeproject.com", "ronwongart.com", "fwgkdhg.icu", "armanrugservice.com", "mapadequito.com", "vbkulkarni.com", "ltsbinge.com", "creativem2.com", "mindflexlab.com", "ushealthvisa.com", "247carkeyslondon.com", "addthat.xyz", "zanzan8.com", "legendsalliance.net", "shopflyonline.com", "csgo-roll.net", "reutbergcapital.com", "mediaworkhouse.com", "office-tourism-tirana.com", "evecrude.xyz", "sportwillwin.com", "cluskmusk.com", "her2mymeme.com", "rsw3313.com", "digitalmarketingmoves.com", "seaworldminecraft.com", "onlinecollegetherapy.com", "ourmonaca.com", "generalflix.com", "limonproduce.com", "casalomasymphonyorchestra.com", "karyapertama.com", "massaponaxhighschool.com", "covidtracksb.com", "breathharbour.net", "italianrealestateagents.com", "xn--ga-c9a.com", "libreo.club", "leverhump.store", "kevinrsamuels.network", "pimpmyrecipe.com", "win-back.online", "kelasipo.com", "caross-china.com", "ly-iot.com", "nolimitsynthetics.net", "epicfriend.club", "19come.com", "lcjzjt.com", "lxpvccard.com", "distributorfocuson.com", "looneytunesrun.com", "mariebiernacki.com", "maquinaclub.com", "randalldavisauthor.com", "niggeruprising.com", "theexpatweightcoach.com", "mex33.info", "imbravura.com", "baldosasanjose.com", "akindousa.com", "ourmunera.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.RCS76393.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.RCS76393.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.RCS76393.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        3.2.RCS76393.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.RCS76393.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.batiktintaemas.com/goei/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.batiktintaemas.com/goei/"], "decoy": ["bet365o2.com", "gulf-landlord.info", "foodsystemsjusticeproject.com", "ronwongart.com", "fwgkdhg.icu", "armanrugservice.com", "mapadequito.com", "vbkulkarni.com", "ltsbinge.com", "creativem2.com", "mindflexlab.com", "ushealthvisa.com", "247carkeyslondon.com", "addthat.xyz", "zanzan8.com", "legendsalliance.net", "shopflyonline.com", "csgo-roll.net", "reutbergcapital.com", "mediaworkhouse.com", "office-tourism-tirana.com", "evecrude.xyz", "sportwillwin.com", "cluskmusk.com", "her2mymeme.com", "rsw3313.com", "digitalmarketingmoves.com", "seaworldminecraft.com", "onlinecollegetherapy.com", "ourmonaca.com", "generalflix.com", "limonproduce.com", "casalomasymphonyorchestra.com", "karyapertama.com", "massaponaxhighschool.com", "covidtracksb.com", "breathharbour.net", "italianrealestateagents.com", "xn--ga-c9a.com", "libreo.club", "leverhump.store", "kevinrsamuels.network", "pimpmyrecipe.com", "win-back.online", "kelasipo.com", "caross-china.com", "ly-iot.com", "nolimitsynthetics.net", "epicfriend.club", "19come.com", "lcjzjt.com", "lxpvccard.com", "distributorfocuson.com", "looneytunesrun.com", "mariebiernacki.com", "maquinaclub.com", "randalldavisauthor.com", "niggeruprising.com", "theexpatweightcoach.com", "mex33.info", "imbravura.com", "baldosasanjose.com", "akindousa.com", "ourmunera.net"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RCS76393.exeJoe Sandbox ML: detected
          Source: 3.1.RCS76393.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.RCS76393.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RCS76393.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Binary string: msiexec.pdb source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.588142042.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RCS76393.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 4x nop then pop edi3_2_0040C326
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 4x nop then pop edi3_1_0040C326
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi7_2_030AC326

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.batiktintaemas.com/goei/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.addthat.xyz
          Source: C:\Windows\explorer.exeDNS query: www.evecrude.xyz
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=B46qr3zTyBR1t+VKbrees7UR/FiD4WL3nz1lGh06nIBkEBDQrNA0bRgDDyF1Au9+nA9wWbL6eg==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ly-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=GY2gQUF0Rr/aPbkdLLDyshZLrmGphrTrFvzfodUnQAaoW3qjeuccMn3ranK+t6GyiOOsZqKqHA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ronwongart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.pimpmyrecipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=BdWs9+XwUamw8CUuz3E8yrboev7iCL3gb6z7OkS86X4CeTXY3ejv3dXKop2WOnP3DDbLLyGv2A==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.foodsystemsjusticeproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.batiktintaemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.addthat.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=1hbvBZ6scGrlPy0N1riO1jCdFmqX21DbBNOeXEZPJTZAL1bLTprMXMNvQ4/+FZIG6w0HvwIWjw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.evecrude.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: Joe Sandbox ViewASN Name: MISSDOMAINSE MISSDOMAINSE
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=B46qr3zTyBR1t+VKbrees7UR/FiD4WL3nz1lGh06nIBkEBDQrNA0bRgDDyF1Au9+nA9wWbL6eg==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ly-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=GY2gQUF0Rr/aPbkdLLDyshZLrmGphrTrFvzfodUnQAaoW3qjeuccMn3ranK+t6GyiOOsZqKqHA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ronwongart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.pimpmyrecipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=BdWs9+XwUamw8CUuz3E8yrboev7iCL3gb6z7OkS86X4CeTXY3ejv3dXKop2WOnP3DDbLLyGv2A==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.foodsystemsjusticeproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.batiktintaemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.addthat.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=1hbvBZ6scGrlPy0N1riO1jCdFmqX21DbBNOeXEZPJTZAL1bLTprMXMNvQ4/+FZIG6w0HvwIWjw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.evecrude.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ly-iot.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 08 Apr 2021 10:47:16 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.329599785.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004181C0 NtCreateFile,3_2_004181C0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00418270 NtReadFile,3_2_00418270
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004182F0 NtClose,3_2_004182F0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004183A0 NtAllocateVirtualMemory,3_2_004183A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041826B NtReadFile,3_2_0041826B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041839A NtAllocateVirtualMemory,3_2_0041839A
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00A398F0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00A39860
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39840 NtDelayExecution,LdrInitializeThunk,3_2_00A39840
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A399A0 NtCreateSection,LdrInitializeThunk,3_2_00A399A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00A39910
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A20 NtResumeThread,LdrInitializeThunk,3_2_00A39A20
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00A39A00
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A50 NtCreateFile,LdrInitializeThunk,3_2_00A39A50
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A395D0 NtClose,LdrInitializeThunk,3_2_00A395D0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39540 NtReadFile,LdrInitializeThunk,3_2_00A39540
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00A396E0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00A39660
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00A397A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,3_2_00A39780
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39FE0 NtCreateMutant,LdrInitializeThunk,3_2_00A39FE0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,3_2_00A39710
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A398A0 NtWriteVirtualMemory,3_2_00A398A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39820 NtEnumerateKey,3_2_00A39820
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3B040 NtSuspendThread,3_2_00A3B040
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A399D0 NtCreateProcessEx,3_2_00A399D0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39950 NtQueueApcThread,3_2_00A39950
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A80 NtOpenDirectoryObject,3_2_00A39A80
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A10 NtQuerySection,3_2_00A39A10
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A3B0 NtGetContextThread,3_2_00A3A3B0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39B00 NtSetValueKey,3_2_00A39B00
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A395F0 NtQueryInformationFile,3_2_00A395F0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39520 NtWaitForSingleObject,3_2_00A39520
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3AD30 NtSetContextThread,3_2_00A3AD30
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39560 NtWriteFile,3_2_00A39560
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A396D0 NtCreateKey,3_2_00A396D0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39610 NtEnumerateValueKey,3_2_00A39610
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39670 NtQueryInformationProcess,3_2_00A39670
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39650 NtQueryValueKey,3_2_00A39650
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39730 NtQueryVirtualMemory,3_2_00A39730
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A710 NtOpenProcessToken,3_2_00A3A710
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39760 NtOpenProcess,3_2_00A39760
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39770 NtSetInformationFile,3_2_00A39770
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A770 NtOpenThread,3_2_00A3A770
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004181C0 NtCreateFile,3_1_004181C0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_00418270 NtReadFile,3_1_00418270
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004182F0 NtClose,3_1_004182F0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004183A0 NtAllocateVirtualMemory,3_1_004183A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_0041826B NtReadFile,3_1_0041826B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9540 NtReadFile,LdrInitializeThunk,7_2_045C9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C95D0 NtClose,LdrInitializeThunk,7_2_045C95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9650 NtQueryValueKey,LdrInitializeThunk,7_2_045C9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_045C9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C96D0 NtCreateKey,LdrInitializeThunk,7_2_045C96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_045C96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,7_2_045C9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,7_2_045C9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,7_2_045C9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9840 NtDelayExecution,LdrInitializeThunk,7_2_045C9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_045C9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_045C9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C99A0 NtCreateSection,LdrInitializeThunk,7_2_045C99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A50 NtCreateFile,LdrInitializeThunk,7_2_045C9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9560 NtWriteFile,7_2_045C9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CAD30 NtSetContextThread,7_2_045CAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9520 NtWaitForSingleObject,7_2_045C9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C95F0 NtQueryInformationFile,7_2_045C95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9670 NtQueryInformationProcess,7_2_045C9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9610 NtEnumerateValueKey,7_2_045C9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA770 NtOpenThread,7_2_045CA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9770 NtSetInformationFile,7_2_045C9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9760 NtOpenProcess,7_2_045C9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA710 NtOpenProcessToken,7_2_045CA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9730 NtQueryVirtualMemory,7_2_045C9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C97A0 NtUnmapViewOfSection,7_2_045C97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CB040 NtSuspendThread,7_2_045CB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9820 NtEnumerateKey,7_2_045C9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C98F0 NtReadVirtualMemory,7_2_045C98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C98A0 NtWriteVirtualMemory,7_2_045C98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9950 NtQueueApcThread,7_2_045C9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C99D0 NtCreateProcessEx,7_2_045C99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A10 NtQuerySection,7_2_045C9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A00 NtProtectVirtualMemory,7_2_045C9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A20 NtResumeThread,7_2_045C9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A80 NtOpenDirectoryObject,7_2_045C9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9B00 NtSetValueKey,7_2_045C9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA3B0 NtGetContextThread,7_2_045CA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B83A0 NtAllocateVirtualMemory,7_2_030B83A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B8270 NtReadFile,7_2_030B8270
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B82F0 NtClose,7_2_030B82F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B81C0 NtCreateFile,7_2_030B81C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B839A NtAllocateVirtualMemory,7_2_030B839A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B826B NtReadFile,7_2_030B826B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B8293_2_0041B829
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00408C5B3_2_00408C5B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00408C603_2_00408C60
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402D8B3_2_00402D8B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041C7393_2_0041C739
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A03_2_00A220A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC20A83_2_00AC20A8
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B0903_2_00A0B090
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC28EC3_2_00AC28EC
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB10023_2_00AB1002
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A141203_2_00A14120
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FF9003_2_009FF900
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC22AE3_2_00AC22AE
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2EBB03_2_00A2EBB0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABDBD23_2_00ABDBD2
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2B283_2_00AC2B28
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0841F3_2_00A0841F
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABD4663_2_00ABD466
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A225813_2_00A22581
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0D5E03_2_00A0D5E0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC25DD3_2_00AC25DD
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2D073_2_00AC2D07
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F0D203_2_009F0D20
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC1D553_2_00AC1D55
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2EF73_2_00AC2EF7
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A16E303_2_00A16E30
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC1FF13_2_00AC1FF1
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_0041B8293_1_0041B829
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004010303_1_00401030
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D4667_2_0464D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459841F7_2_0459841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04651D557_2_04651D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652D077_2_04652D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04580D207_2_04580D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046525DD7_2_046525DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459D5E07_2_0459D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B25817_2_045B2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A6E307_2_045A6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D6167_2_0464D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652EF77_2_04652EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04651FF17_2_04651FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046410027_2_04641002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046528EC7_2_046528EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B0907_2_0459B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046520A87_2_046520A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A07_2_045B20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458F9007_2_0458F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A41207_2_045A4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046522AE7_2_046522AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652B287_2_04652B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464DBD27_2_0464DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BEBB07_2_045BEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB8297_2_030BB829
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BC7397_2_030BC739
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2FB07_2_030A2FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2D8B7_2_030A2D8B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2D907_2_030A2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A8C5B7_2_030A8C5B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A8C607_2_030A8C60
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: String function: 009FB150 appears 35 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0458B150 appears 35 times
          Source: RCS76393.exe, 00000003.00000002.363023409.0000000000D8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs RCS76393.exe
          Source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RCS76393.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: RCS76393.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: RCS76393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@12/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
          Source: RCS76393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RCS76393.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Users\user\Desktop\RCS76393.exeProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RCS76393.exeProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RCS76393.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: Binary string: msiexec.pdb source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.588142042.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RCS76393.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\RCS76393.exeUnpacked PE file: 3.2.RCS76393.exe.400000.0.unpack .text:ER;.data:W;.jidiy:W;.wahe:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;
          Source: RCS76393.exeStatic PE information: section name: .jidiy
          Source: RCS76393.exeStatic PE information: section name: .wahe
          Source: RCS76393.exeStatic PE information: section name: .new
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00416257 push ebx; retf 3_2_00416259
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004072E3 push esp; retf 3_2_004072EF
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B3B5 push eax; ret 3_2_0041B408
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B46C push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B402 push eax; ret 3_2_0041B408
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B40B push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00415FDB push es; iretd