Loading ...

Play interactive tourEdit tour

Windows Analysis Report wREFu91LXZ.exe

Overview

General Information

Sample Name:wREFu91LXZ.exe
Analysis ID:452405
MD5:686dc98567009e47eac88e95804b9dde
SHA1:5788c30289d12f69d5cf323049d8d3c3a3e73cda
SHA256:11d84c7f9c579c2e58f4acc04d488d5f1c6cc0439609099eabec42444f5ef952
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wREFu91LXZ.exe (PID: 5912 cmdline: 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: 686DC98567009E47EAC88E95804B9DDE)
    • wREFu91LXZ.exe (PID: 492 cmdline: 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: 686DC98567009E47EAC88E95804B9DDE)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 5256 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6084 cmdline: /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.wREFu91LXZ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.wREFu91LXZ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.wREFu91LXZ.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        1.2.wREFu91LXZ.exe.21a0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.wREFu91LXZ.exe.21a0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: wREFu91LXZ.exeVirustotal: Detection: 31%Perma Link
          Source: wREFu91LXZ.exeReversingLabs: Detection: 53%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: wREFu91LXZ.exeJoe Sandbox ML: detected
          Source: 10.2.msiexec.exe.48c7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 10.2.msiexec.exe.22b358.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.wREFu91LXZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.wREFu91LXZ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.wREFu91LXZ.exe.680000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: wREFu91LXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: wREFu91LXZ.exe, 00000001.00000003.226799711.0000000002330000.00000004.00000001.sdmp, wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmp, msiexec.exe, 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: wREFu91LXZ.exe, msiexec.exe
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 4x nop then pop esi3_2_00415852
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 4x nop then pop ebx3_2_00406A98
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 4x nop then pop edi3_2_00415699
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop ebx10_2_02A16A99
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi10_2_02A25852
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi10_2_02A25699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 52.5.43.61:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49739 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 50.87.238.189:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 50.87.248.20:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W HTTP/1.1Host: www.chaneabond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W HTTP/1.1Host: www.cajunseafoodstcloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W HTTP/1.1Host: www.tinsley.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=XQ+IsuOG6xtA2RDWfBD5IRfVZekOdoA9gy19PVXp7eWYHk3qJ48ISdkxrcmrsJaPDNZD&sxlxj=RL30W HTTP/1.1Host: www.surivaganza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=0Hs+m/QFKKZkFwACjLHyI7vfWqidr4y2jXRg5Hngc5JW+skIzqaHxis+6ShLP6A0B+d4&sxlxj=RL30W HTTP/1.1Host: www.chaneabond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpA7pfREgQYT&sxlxj=RL30W HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=sC7FhjJqcCFIEoUuEobIBnrRYwOZzG9nc/x6jFk5Keq5TgsKgOpKFfaz6JoBJPzzv7cu&sxlxj=RL30W HTTP/1.1Host: www.cajunseafoodstcloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoFjnAjbDmWUu&sxlxj=RL30W HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=iVPDfBhYBy5JvywJlu7/jTaNaIK/WCHUrbFXeojMH/nMVdHPbpxjQuq5aGN6jhO1pTuT&sxlxj=RL30W HTTP/1.1Host: www.tinsley.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=XQ+IsuOG6xtA2RDWfBD5IRfVZekOdoA9gy19PVXp7eWYHk3qJ48ISdkxrcmrsJaPDNZD&sxlxj=RL30W HTTP/1.1Host: www.surivaganza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?9rrLUp1=dI9eO6GEnVuhhF2IZBGZI9CJMc/scmM0Fs5NmUifzPq1VUdHCmcaYQjC6cJJVTF2eMwa&sxlxj=RL30W HTTP/1.1Host: www.matcitekids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.chaneabond.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 08:09:41 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.248833107.0000000008A3A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.248948750.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004181D0 NtCreateFile,3_2_004181D0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00418280 NtReadFile,3_2_00418280
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00418300 NtClose,3_2_00418300
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,3_2_004183B0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00418222 NtCreateFile,3_2_00418222
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004183AA NtAllocateVirtualMemory,3_2_004183AA
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B798F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00B798F0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00B79860
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79840 NtDelayExecution,LdrInitializeThunk,3_2_00B79840
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B799A0 NtCreateSection,LdrInitializeThunk,3_2_00B799A0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00B79910
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79A20 NtResumeThread,LdrInitializeThunk,3_2_00B79A20
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00B79A00
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79A50 NtCreateFile,LdrInitializeThunk,3_2_00B79A50
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B795D0 NtClose,LdrInitializeThunk,3_2_00B795D0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79540 NtReadFile,LdrInitializeThunk,3_2_00B79540
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B796E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00B796E0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00B79660
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B797A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00B797A0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79780 NtMapViewOfSection,LdrInitializeThunk,3_2_00B79780
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79FE0 NtCreateMutant,LdrInitializeThunk,3_2_00B79FE0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79710 NtQueryInformationToken,LdrInitializeThunk,3_2_00B79710
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B798A0 NtWriteVirtualMemory,3_2_00B798A0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79820 NtEnumerateKey,3_2_00B79820
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B7B040 NtSuspendThread,3_2_00B7B040
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B799D0 NtCreateProcessEx,3_2_00B799D0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79950 NtQueueApcThread,3_2_00B79950
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79A80 NtOpenDirectoryObject,3_2_00B79A80
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B79A10 NtQuerySection,3_2_00B79A10
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B7A3B0 NtGetContextThread,3_2_00B7A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_043F9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9840 NtDelayExecution,LdrInitializeThunk,10_2_043F9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_043F9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9540 NtReadFile,LdrInitializeThunk,10_2_043F9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F99A0 NtCreateSection,LdrInitializeThunk,10_2_043F99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F95D0 NtClose,LdrInitializeThunk,10_2_043F95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_043F9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9A50 NtCreateFile,LdrInitializeThunk,10_2_043F9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9650 NtQueryValueKey,LdrInitializeThunk,10_2_043F9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_043F96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F96D0 NtCreateKey,LdrInitializeThunk,10_2_043F96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9710 NtQueryInformationToken,LdrInitializeThunk,10_2_043F9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9780 NtMapViewOfSection,LdrInitializeThunk,10_2_043F9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9FE0 NtCreateMutant,LdrInitializeThunk,10_2_043F9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9820 NtEnumerateKey,10_2_043F9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043FB040 NtSuspendThread,10_2_043FB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F98A0 NtWriteVirtualMemory,10_2_043F98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F98F0 NtReadVirtualMemory,10_2_043F98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043FAD30 NtSetContextThread,10_2_043FAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9520 NtWaitForSingleObject,10_2_043F9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9560 NtWriteFile,10_2_043F9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9950 NtQueueApcThread,10_2_043F9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F95F0 NtQueryInformationFile,10_2_043F95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F99D0 NtCreateProcessEx,10_2_043F99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9A20 NtResumeThread,10_2_043F9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9610 NtEnumerateValueKey,10_2_043F9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9A10 NtQuerySection,10_2_043F9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9A00 NtProtectVirtualMemory,10_2_043F9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9670 NtQueryInformationProcess,10_2_043F9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9A80 NtOpenDirectoryObject,10_2_043F9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9730 NtQueryVirtualMemory,10_2_043F9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043FA710 NtOpenProcessToken,10_2_043FA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9B00 NtSetValueKey,10_2_043F9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9770 NtSetInformationFile,10_2_043F9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043FA770 NtOpenThread,10_2_043FA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F9760 NtOpenProcess,10_2_043F9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043FA3B0 NtGetContextThread,10_2_043FA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043F97A0 NtUnmapViewOfSection,10_2_043F97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A28280 NtReadFile,10_2_02A28280
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A283B0 NtAllocateVirtualMemory,10_2_02A283B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A28300 NtClose,10_2_02A28300
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A281D0 NtCreateFile,10_2_02A281D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A28222 NtCreateFile,10_2_02A28222
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A283AA NtAllocateVirtualMemory,10_2_02A283AA
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0040102E3_2_0040102E
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B8FB3_2_0041B8FB
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00408C6C3_2_00408C6C
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B57A3_2_0041B57A
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00402D883_2_00402D88
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041C58A3_2_0041C58A
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B4B0903_2_00B4B090
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00BF10023_2_00BF1002
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B541203_2_00B54120
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B3F9003_2_00B3F900
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B6EBB03_2_00B6EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043C841F10_2_043C841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0447100210_2_04471002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043CB09010_2_043CB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043B0D2010_2_043B0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_04481D5510_2_04481D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043D412010_2_043D4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043BF90010_2_043BF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043D6E3010_2_043D6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_043EEBB010_2_043EEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B8FB10_2_02A2B8FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A12FB010_2_02A12FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A18C6C10_2_02A18C6C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A18C7010_2_02A18C70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2C58A10_2_02A2C58A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A12D8810_2_02A12D88
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A12D9010_2_02A12D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B57A10_2_02A2B57A
          Source: wREFu91LXZ.exe, 00000001.00000003.227334681.000000000263F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wREFu91LXZ.exe
          Source: wREFu91LXZ.exe, 00000003.00000002.284453440.0000000000A4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs wREFu91LXZ.exe
          Source: wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wREFu91LXZ.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: wREFu91LXZ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.wREFu91LXZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.wREFu91LXZ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.wREFu91LXZ.exe.21a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.230049818.00000000021A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.273287950.0000000006399000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.486466512.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.487707401.0000000004060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.487516890.0000000002A10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.283872070.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.284026050.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.227451103.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.284250937.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@12/7
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_01
          Source: wREFu91LXZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: wREFu91LXZ.exeVirustotal: Detection: 31%
          Source: wREFu91LXZ.exeReversingLabs: Detection: 53%
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeFile read: C:\Users\user\Desktop\wREFu91LXZ.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeProcess created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeProcess created: C:\Users\user\Desktop\wREFu91LXZ.exe 'C:\Users\user\Desktop\wREFu91LXZ.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\wREFu91LXZ.exe'Jump to behavior
          Source: Binary string: msiexec.pdb source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: wREFu91LXZ.exe, 00000003.00000002.284421615.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: wREFu91LXZ.exe, 00000001.00000003.226799711.0000000002330000.00000004.00000001.sdmp, wREFu91LXZ.exe, 00000003.00000002.284645298.0000000000C2F000.00000040.00000001.sdmp, msiexec.exe, 0000000A.00000002.487880611.0000000004390000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: wREFu91LXZ.exe, msiexec.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeUnpacked PE file: 3.2.wREFu91LXZ.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004062F6 pushfd ; ret 3_2_004062F7
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B3C5 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_004153FC push eax; retf 3_2_0041540B
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B47C push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B412 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041B41B push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00415CE7 pushad ; ret 3_2_00415D4B
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_0041C4EE push 133511A3h; retf 3_2_0041C4F3
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00414D71 push ss; iretd 3_2_00414D72
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00415D38 pushad ; ret 3_2_00415D4B
          Source: C:\Users\user\Desktop\wREFu91LXZ.exeCode function: 3_2_00B8D0D1 push ecx; ret 3_2_00B8D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0440D0D1 push ecx; ret 10_2_0440D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A162F6 pushfd ; ret 10_2_02A162F7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A253FC push eax; retf 10_2_02A2540B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B3C5 push eax; ret 10_2_02A2B418
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A25CE7 pushad ; ret 10_2_02A25D4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2C4EE push 133511A3h; retf 10_2_02A2C4F3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B412 push eax; ret 10_2_02A2B418
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B41B push eax; ret 10_2_02A2B482
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A2B47C push eax; ret 10_2_02A2B482
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A25D38 pushad ; ret 10_2_02A25D4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_02A24D71 push ss; iretd 10_2_02A24D72