Windows Analysis Report boI88C399w.exe

ID:	437123
Product:	CloudBasic
Start time:	12:41:52
Start date:	19.06.2021
Sample:	boI88C399w.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0a82064af051bad014b77038d60474b6
SHA1:	f7bf190091d5fe307cfaeed630eeb341c935bda0
SHA256:	8f165a26d7e9ad72cb0d51cf01076cc4b0099a244cd4e702645d36dc788dd0cc
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: boI88C399w.exe

Avira: detected

Found malware configuration

Source: 0.2.boI88C399w.exe.75fdc0.2.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["88.153.35.32:80", "107.170.146.252:8080", "173.212.214.235:7080", "167.114.153.111:8080", "202.141.243.254:443", "75.143.247.51:80", "85.105.111.166:80", "216.139.123.119:80", "113.61.66.94:80", "162.241.140.129:8080", "190.12.119.180:443", "2.58.16.89:8080", "91.211.88.52:7080", "93.147.212.206:80", "71.15.245.148:8080", "157.245.99.39:8080", "27.114.9.93:80", "50.91.114.38:80", "174.106.122.139:80", "47.36.140.164:80", "139.162.60.124:8080", "209.54.13.14:80", "217.20.166.178:7080", "185.94.252.104:443", "72.186.136.247:443", "172.86.188.251:8080", "41.185.28.84:8080", "87.106.139.101:8080", "89.216.122.92:80", "108.46.29.236:80", "184.180.181.202:80", "173.63.222.65:80", "120.150.60.189:80", "62.30.7.67:443", "139.99.158.11:443", "220.245.198.194:80", "138.68.87.218:443", "201.241.127.190:80", "186.74.215.34:80", "190.162.215.233:80", "24.178.90.49:80", "89.121.205.18:80", "5.39.91.110:7080", "59.125.219.109:443", "182.208.30.18:443", "123.176.25.234:80", "24.137.76.62:80", "74.208.45.104:8080", "194.187.133.160:443", "37.179.204.33:80", "194.4.58.192:7080", "95.9.5.93:80", "67.170.250.203:443", "61.33.119.226:443", "96.245.227.43:80", "68.115.186.26:80", "190.108.228.27:443", "112.185.64.233:80", "176.111.60.55:8080", "91.146.156.228:80", "190.240.194.77:443", "115.94.207.99:443", "62.171.142.179:8080", "134.209.144.106:443", "168.235.67.138:7080", "124.41.215.226:80", "172.104.97.173:8080", "202.134.4.216:8080", "94.200.114.161:80", "67.163.161.107:80", "61.76.222.210:80", "97.82.79.83:80", "74.214.230.200:80", "46.105.131.79:8080", "78.188.106.53:443", "186.70.56.94:443", "120.150.218.241:443", "50.245.107.73:443", "123.142.37.166:80", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "94.230.70.6:80", "154.91.33.137:443", "104.131.11.150:443", "95.213.236.64:8080", "49.50.209.131:80", "187.161.206.24:80", "37.139.21.175:8080", "121.124.124.40:7080", "200.116.145.225:443", "24.230.141.169:80", "194.190.67.75:80", "209.141.54.221:7080", "137.59.187.107:8080", "217.123.207.149:80", "24.133.106.23:80", "79.137.83.50:443", "24.179.13.119:80", "202.134.4.211:8080", "78.24.219.147:8080", "76.175.162.101:80", "121.7.31.214:80", "62.75.141.82:80", "109.74.5.95:8080", "75.188.96.231:80", "176.113.52.6:443", "50.35.17.13:80", "118.83.154.64:443", "110.142.236.207:80", "188.219.31.12:80", "72.143.73.234:443", "102.182.93.220:80", "66.76.12.94:8080", "103.86.49.11:8080", "190.164.104.62:80", "203.153.216.189:7080", "119.59.116.21:8080", "172.105.13.66:443", "94.23.237.171:443", "49.3.224.99:8080", "139.59.60.244:8080", "172.91.208.86:80"]}

Multi AV Scanner detection for submitted file

Source: boI88C399w.exe	Virustotal: Detection: 81%			Perma Link
Source: boI88C399w.exe	Metadefender: Detection: 71%			Perma Link
Source: boI88C399w.exe	ReversingLabs: Detection: 89%

Machine Learning detection for sample

Source: boI88C399w.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B72290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,		5_2_02B72290
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,		5_2_02B72650
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B71FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,		5_2_02B71FB0

Compliance:

Uses 32bit PE files

Source: boI88C399w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_024738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_024738F0
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		5_2_02B738F0

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 88.153.35.32:80
Source: Malware configuration extractor	IPs: 107.170.146.252:8080
Source: Malware configuration extractor	IPs: 173.212.214.235:7080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 190.12.119.180:443
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 27.114.9.93:80
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 209.54.13.14:80
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 72.186.136.247:443
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 190.162.215.233:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 67.170.250.203:443
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 68.115.186.26:80
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 112.185.64.233:80
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 91.146.156.228:80
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 124.41.215.226:80
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 67.163.161.107:80
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 154.91.33.137:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 194.190.67.75:80
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 217.123.207.149:80
Source: Malware configuration extractor	IPs: 24.133.106.23:80
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 75.188.96.231:80
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 50.35.17.13:80
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 72.143.73.234:443
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 190.164.104.62:80
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 172.105.13.66:443
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 172.91.208.86:80

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 36

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49728 -> 107.170.146.252:8080
Source: global traffic	TCP traffic: 192.168.2.3:49745 -> 173.212.214.235:7080
Source: global traffic	TCP traffic: 192.168.2.3:49746 -> 167.114.153.111:8080

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 115.94.207.99 115.94.207.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA
Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.3:49724 -> 88.153.35.32:80
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 202.141.243.254:443
Source: global traffic	TCP traffic: 192.168.2.3:49750 -> 75.143.247.51:80
Source: global traffic	TCP traffic: 192.168.2.3:49751 -> 85.105.111.166:80
Source: global traffic	TCP traffic: 192.168.2.3:49752 -> 216.139.123.119:80

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 88.153.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 107.170.146.252
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.214.235
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 202.141.243.254
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51
Source: unknown	TCP traffic detected without corresponding DNS query: 75.143.247.51
Source: unknown	TCP traffic detected without corresponding DNS query: 85.105.111.166
Source: unknown	TCP traffic detected without corresponding DNS query: 85.105.111.166
Source: unknown	TCP traffic detected without corresponding DNS query: 85.105.111.166
Source: unknown	TCP traffic detected without corresponding DNS query: 216.139.123.119
Source: unknown	TCP traffic detected without corresponding DNS query: 216.139.123.119
Source: unknown	TCP traffic detected without corresponding DNS query: 216.139.123.119

URLs found in memory or binary data

Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/AmfQn/laoa/
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/AmfQn/laoa/g
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/AmfQn/laoa/m32
Source: fc.exe, 00000005.00000002.577528007.00000000032E0000.00000004.00000001.sdmp	String found in binary or memory: http://173.212.214.235:7080/QDQtiYj/vpRVOewQUQw/
Source: fc.exe, 00000005.00000002.577528007.00000000032E0000.00000004.00000001.sdmp	String found in binary or memory: http://173.212.214.235:7080/QDQtiYj/vpRVOewQUQw/Li
Source: fc.exe, 00000005.00000002.577528007.00000000032E0000.00000004.00000001.sdmp	String found in binary or memory: http://173.212.214.235:7080/QDQtiYj/vpRVOewQUQw/s
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/pnAiI1qDTX4MOWqj5/rKh0M3hfFy7/724FLNcoQQG/kEVoVU2yQVRTXfUnKo/
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://202.141.243.254:443/pnAiI1qDTX4MOWqj5/rKh0M3hfFy7/724FLNcoQQG/kEVoVU2yQVRTXfUnKo/7
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://216.139.123.119/jS1u1RylwJ0/ushYaxCswmnhpg8wg/IFRzwb/XI7ecLcKBMfSHZz/
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://216.139.123.119/jS1u1RylwJ0/ushYaxCswmnhpg8wg/IFRzwb/XI7ecLcKBMfSHZz/VR
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://75.143.247.51/uRFHuG0msb/ffbgj4v2OG95Kn7J/dP2odtQaTNo5/
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://75.143.247.51/uRFHuG0msb/ffbgj4v2OG95Kn7J/dP2odtQaTNo5/F
Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: http://85.105.111.166/6iiGh76IeO/aJgypRAqW/2V5m3orudg9mFaTWI/
Source: fc.exe, 00000005.00000003.321436070.00000000034BA000.00000004.00000001.sdmp	String found in binary or memory: https://fs.microsoft.cYc/Tl5gD37u1c6qu/DYYIe0MAxvvXe/

Uses HTTPS

Source: unknown

Network traffic detected: HTTP traffic on port 49747 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000005.00000002.577302353.0000000002B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225706038.0000000002471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.573236388.00000000004F9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225568967.0000000000738000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.266432635.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.fc.exe.5ac3b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fc.exe.5ac3b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fc.exe.2b70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.fc.exe.5ac3b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.75fdc0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.75fdc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.2470000.3.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Windows\SysWOW64\wincorlib\fc.exe

Code function: 5_2_02B72650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

5_2_02B72650

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_024501F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,		0_2_024501F0
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B601F0 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,		5_2_02B601F0

Creates files inside the system directory

Source: C:\Users\user\Desktop\boI88C399w.exe

File created: C:\Windows\SysWOW64\wincorlib\

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\boI88C399w.exe

File deleted: C:\Windows\SysWOW64\wincorlib\fc.exe:Zone.Identifier

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_00451D80		0_2_00451D80
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02478240		0_2_02478240
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02477740		0_2_02477740
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02473F20		0_2_02473F20
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02473BA0		0_2_02473BA0
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02471C70		0_2_02471C70
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02473D10		0_2_02473D10
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02476530		0_2_02476530
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B78240		5_2_02B78240
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B73BA0		5_2_02B73BA0
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B76530		5_2_02B76530
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B73F20		5_2_02B73F20
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B73D10		5_2_02B73D10
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B71C70		5_2_02B71C70
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B77740		5_2_02B77740

PE file contains strange resources

Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: boI88C399w.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: boI88C399w.exe, 00000000.00000002.225404132.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.225988358.0000000002D70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.226263049.0000000003980000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs boI88C399w.exe
Source: boI88C399w.exe, 00000000.00000002.226263049.0000000003980000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs boI88C399w.exe
Source: boI88C399w.exe	Binary or memory string: OriginalFilenameSEKPaint2.exe vs boI88C399w.exe

Uses 32bit PE files

Source: boI88C399w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to development resources

Source: boI88C399w.exe	Binary or memory string: F*\AC:\sekpaint20\SEKPaint2.vbp
Source: boI88C399w.exe, 00000000.00000002.225396242.000000000046C000.00000004.00020000.sdmp, fc.exe, 00000005.00000002.572856154.000000000046C000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\sekpaint20\SEKPaint2.vbp

Classification label

Source: classification engine

Classification label: mal88.troj.evad.winEXE@5/0@0/100

Contains functionality to create services

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

0_2_024787D0

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\wincorlib\fc.exe

Code function: 5_2_02B74CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

5_2_02B74CB0

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02475070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_02475070

PE file has an executable .text section and no other executable section

Source: boI88C399w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\boI88C399w.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\boI88C399w.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\boI88C399w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: boI88C399w.exe	Virustotal: Detection: 81%
Source: boI88C399w.exe	Metadefender: Detection: 71%
Source: boI88C399w.exe	ReversingLabs: Detection: 89%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\boI88C399w.exe 'C:\Users\user\Desktop\boI88C399w.exe'
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\SysWOW64\wincorlib\fc.exe C:\Windows\SysWOW64\wincorlib\fc.exe
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process created: C:\Windows\SysWOW64\wincorlib\fc.exe C:\Windows\SysWOW64\wincorlib\fc.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\boI88C399w.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Data Obfuscation:

PE file contains an invalid checksum

Source: boI88C399w.exe

Static PE information: real checksum: 0x8839b should be: 0x8f92d

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_0040C8B4 push es; retf		0_2_0040C8D3
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_0040C915 push ds; iretd		0_2_0040C91F
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475E10 push ecx; mov dword ptr [esp], 0000F5B3h		0_2_02475E11
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475EF0 push ecx; mov dword ptr [esp], 0000669Ch		0_2_02475EF1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475EA0 push ecx; mov dword ptr [esp], 0000A3FDh		0_2_02475EA1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475F20 push ecx; mov dword ptr [esp], 0000E36Ch		0_2_02475F21
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475CD0 push ecx; mov dword ptr [esp], 00001CE1h		0_2_02475CD1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475D50 push ecx; mov dword ptr [esp], 00006847h		0_2_02475D51
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475D00 push ecx; mov dword ptr [esp], 00001F9Eh		0_2_02475D01
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475D20 push ecx; mov dword ptr [esp], 0000C5A1h		0_2_02475D21
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475DC0 push ecx; mov dword ptr [esp], 000089FAh		0_2_02475DC1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475DF0 push ecx; mov dword ptr [esp], 0000AAF5h		0_2_02475DF1
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02475D90 push ecx; mov dword ptr [esp], 0000B2E0h		0_2_02475D91
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75EA0 push ecx; mov dword ptr [esp], 0000A3FDh		5_2_02B75EA1
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75D90 push ecx; mov dword ptr [esp], 0000B2E0h		5_2_02B75D91
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75DF0 push ecx; mov dword ptr [esp], 0000AAF5h		5_2_02B75DF1
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75EF0 push ecx; mov dword ptr [esp], 0000669Ch		5_2_02B75EF1
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75CD0 push ecx; mov dword ptr [esp], 00001CE1h		5_2_02B75CD1
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75DC0 push ecx; mov dword ptr [esp], 000089FAh		5_2_02B75DC1
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75D20 push ecx; mov dword ptr [esp], 0000C5A1h		5_2_02B75D21
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75F20 push ecx; mov dword ptr [esp], 0000E36Ch		5_2_02B75F21
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75E10 push ecx; mov dword ptr [esp], 0000F5B3h		5_2_02B75E11
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75D00 push ecx; mov dword ptr [esp], 00001F9Eh		5_2_02B75D01
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B75D50 push ecx; mov dword ptr [esp], 00006847h		5_2_02B75D51

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.95649403306

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\boI88C399w.exe

Executable created and started: C:\Windows\SysWOW64\wincorlib\fc.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\boI88C399w.exe

PE file moved: C:\Windows\SysWOW64\wincorlib\fc.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\boI88C399w.exe

File opened: C:\Windows\SysWOW64\wincorlib\fc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\splwow64.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\boI88C399w.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\boI88C399w.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_02475070

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\boI88C399w.exe

API coverage: 8.1 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe

Last function: Thread delayed

Checks the free space of harddrives

Source: C:\Users\user\Desktop\boI88C399w.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_024738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_024738F0
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B738F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		5_2_02B738F0

Contains medium sleeps (>= 30s)

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: fc.exe, 00000005.00000002.578075995.00000000034A6000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Queries a list of all running processes

Source: C:\Windows\SysWOW64\wincorlib\fc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02474E20 mov eax, dword ptr fs:[00000030h]		0_2_02474E20
Source: C:\Users\user\Desktop\boI88C399w.exe	Code function: 0_2_02473F20 mov eax, dword ptr fs:[00000030h]		0_2_02473F20
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B73F20 mov eax, dword ptr fs:[00000030h]		5_2_02B73F20
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Code function: 5_2_02B74E20 mov eax, dword ptr fs:[00000030h]		5_2_02B74E20

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02477EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,

0_2_02477EC0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: fc.exe, 00000005.00000002.574245798.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: fc.exe, 00000005.00000002.574245798.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fc.exe, 00000005.00000002.574245798.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fc.exe, 00000005.00000002.574245798.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\boI88C399w.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\wincorlib\fc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\boI88C399w.exe

Code function: 0_2_02478240 CreateFileW,CreateFileW,GetModuleFileNameW,GetSystemTimeAsFileTime,CloseHandle,

0_2_02478240

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\wincorlib\fc.exe

Code function: 5_2_02B75360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

5_2_02B75360

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\wincorlib\fc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000005.00000002.577302353.0000000002B71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225706038.0000000002471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.573236388.00000000004F9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.225568967.0000000000738000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.266432635.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.fc.exe.5ac3b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fc.exe.5ac3b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.fc.exe.2b70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.fc.exe.5ac3b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.75fdc0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.75fdc0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.boI88C399w.exe.2470000.3.unpack, type: UNPACKEDPE