Windows Analysis Report
rwilsss.exe

Overview

General Information

Sample name:	rwilsss.exe
Analysis ID:	1650112
MD5:	0ad858f5d7afc96924fb09dce7fc64c5
SHA1:	ec5d9ef1295313778a2fc53d49b58b2c52ecbf18
SHA256:	3a150034f743320c85c890a29755032d9f850d0da9848c7a96c63bd2690e3495
Tags:	exeuser-Porcupine
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rwilsss.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.greyareaclothing.store/hnau/?qNfTm=It7h28&fR=ff1YCXiTWW4cronbiq9MGdiWlqGOzdA8w4Ki7N0QaK1i9QkYzKHUVEZHk15HQFwSEDwxmz8E4etY1UkfuJt9MSgwr7jqtLW+NVd7ppd4VdPtV/YghcXnRLg=	Avira URL Cloud: Label: malware
Source: http://www.hellosweetie.net/e7k4/	Avira URL Cloud: Label: malware
Source: http://www.hellosweetie.net/e7k4/?fR=PCaq+8SJhdNev9S780c3MbnLxcb9xrw0LZhyuWsfCuz+E7fQV66LHSkbKMkqmntN/Wo7RToQsXo9VJ/le6MACc/ER0UdFwyMaQgiHOq8F/NNUaNt2b5IJfg=&qNfTm=It7h28	Avira URL Cloud: Label: malware
Source: http://www.greyareaclothing.store/hnau/?qNfTm=It7h28&fR=ff1YCXiTWW4cronbiq9MGdiWlqGOzdA8w4Ki7N0QaK1i	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: rwilsss.exe	ReversingLabs: Detection: 41%
Source: rwilsss.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.rwilsss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rwilsss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2563154374.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1789475310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2564178771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1839152030.0000000005910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2564124185.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2564572270.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1791238666.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 92.4%

Uses 32bit PE files

Source: rwilsss.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rwilsss.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cipher.pdbGCTL source: rwilsss.exe, 00000001.00000002.1789730108.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000003.1862239491.0000000001159000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rwilsss.exe, 00000001.00000002.1789941757.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.2564592537.0000000004AAE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.1789792221.00000000045BC000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.1792254365.0000000004769000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.2564592537.0000000004910000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rwilsss.exe, rwilsss.exe, 00000001.00000002.1789941757.0000000001480000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, cipher.exe, 00000004.00000002.2564592537.0000000004AAE000.00000040.00001000.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.1789792221.00000000045BC000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000003.1792254365.0000000004769000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.2564592537.0000000004910000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cipher.pdb source: rwilsss.exe, 00000001.00000002.1789730108.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000003.1862239491.0000000001159000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2563217237.0000000000B8F000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\cipher.exe

Code function: 4_2_0070C580 FindFirstFileW,FindNextFileW,FindClose,

4_2_0070C580

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 4x nop then pop edi	1_2_00418C43
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4x nop then xor eax, eax	4_2_006FA080
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4x nop then pop edi	4_2_006FE0FB
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4x nop then pop edi	4_2_00705860
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_046604C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49724 -> 104.166.91.35:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49730 -> 172.64.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49725 -> 104.166.91.35:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49726 -> 104.166.91.35:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49728 -> 172.64.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49729 -> 172.64.80.1:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.link6-tesla-nd6.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.link6-tesla-nd6.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.vaishnavi.xyz
Source:	DNS query: www.link6-tesla-nd6.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 103.224.182.242 103.224.182.242
Source: Joe Sandbox View	IP Address: 172.64.80.1 172.64.80.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /hnau/?qNfTm=It7h28&fR=ff1YCXiTWW4cronbiq9MGdiWlqGOzdA8w4Ki7N0QaK1i9QkYzKHUVEZHk15HQFwSEDwxmz8E4etY1UkfuJt9MSgwr7jqtLW+NVd7ppd4VdPtV/YghcXnRLg= HTTP/1.1Host: www.greyareaclothing.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C)
Source: global traffic	HTTP traffic detected: GET /e7k4/?fR=PCaq+8SJhdNev9S780c3MbnLxcb9xrw0LZhyuWsfCuz+E7fQV66LHSkbKMkqmntN/Wo7RToQsXo9VJ/le6MACc/ER0UdFwyMaQgiHOq8F/NNUaNt2b5IJfg=&qNfTm=It7h28 HTTP/1.1Host: www.hellosweetie.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C)
Source: global traffic	HTTP traffic detected: GET /swvy/?fR=XmKRY/t03EXKotfV27rpDi4Y7n4N3D4pVt6OywdHmo1/t4zPfsyxQcTruN1gdpMmfgSMn23VTjbybs3ZENJsdIgpWTI6AOV1xHSAMA6v7RrhmW1TPsqc/lc=&qNfTm=It7h28 HTTP/1.1Host: www.link6-tesla-nd6.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C)

Source: global traffic	DNS traffic detected: DNS query: www.greyareaclothing.store
Source: global traffic	DNS traffic detected: DNS query: www.hellosweetie.net
Source: global traffic	DNS traffic detected: DNS query: www.link6-tesla-nd6.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vaishnavi.xyz

Source: unknown

HTTP traffic detected: POST /e7k4/ HTTP/1.1Host: www.hellosweetie.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Length: 199Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeOrigin: http://www.hellosweetie.netReferer: http://www.hellosweetie.net/e7k4/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; GTB7.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C)Data Raw: 66 52 3d 43 41 79 4b 39 4b 65 73 77 74 5a 44 6d 6f 44 37 32 31 73 76 41 64 33 39 35 37 36 33 39 64 6f 66 42 35 5a 44 39 79 6b 62 50 2b 37 77 58 71 65 6e 56 2f 4f 47 64 41 42 7a 52 64 49 4e 77 6c 52 55 2b 6d 6b 37 53 6b 68 41 72 47 73 74 4b 5a 6a 51 4c 63 6c 57 65 50 4c 62 59 58 67 55 4d 31 50 71 62 42 6c 6d 65 76 4f 54 4e 65 5a 47 48 37 35 58 39 2b 46 7a 47 63 79 53 30 6a 6e 2f 46 72 79 61 4a 70 55 6b 74 6a 66 49 31 7a 6b 55 50 48 36 4d 53 52 6e 61 72 68 68 41 5a 67 31 71 75 71 6c 36 79 35 73 57 76 67 30 65 33 56 41 4a 6d 49 55 2f 71 70 4a 39 36 65 67 36 65 7a 43 74 6a 54 39 50 67 67 3d 3d Data Ascii: fR=CAyK9KeswtZDmoD721svAd3957639dofB5ZD9ykbP+7wXqenV/OGdABzRdINwlRU+mk7SkhArGstKZjQLclWePLbYXgUM1PqbBlmevOTNeZGH75X9+FzGcyS0jn/FryaJpUktjfI1zkUPH6MSRnarhhAZg1quql6y5sWvg0e3VAJmIU/qpJ96eg6ezCtjT9Pgg==

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 27 Mar 2025 12:33:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RNJy%2F5JDHrb8Iylu7bOEuY0MZVW1u88HMlLWEuFq31EzrMnwlca4DTnj0KlYaxBjlq8qLo2FHZbNaR7iz9hbyMAb0ZUrHZZvPxaZWzh4kwyurpTGYLL0tIBqVLwxUbyKfcuWUjWFbrOog%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 926eea5cdc780f67-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=88860&min_rtt=88860&rtt_var=44430&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=526&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE

Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2567659913.0000000005FB6000.00000004.80000000.00040000.00000000.sdmp, cipher.exe, 00000004.00000002.2565056026.00000000054B6000.00000004.10000000.00040000.00000000.sdmp, cipher.exe, 00000004.00000002.2566471148.00000000077E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: firefox.exe, 00000007.00000002.2079258002.000000002B444000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.greyareaclothing.store/hnau/?qNfTm=It7h28&fR=ff1YCXiTWW4cronbiq9MGdiWlqGOzdA8w4Ki7N0QaK1i
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2563931581.000000000128C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.link6-tesla-nd6.xyz
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2563931581.000000000128C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.link6-tesla-nd6.xyz/swvy/
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rwilsss.exe, 00000000.00000002.1331910191.00000000073E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: cipher.exe, 00000004.00000002.2563320507.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cipher.exe, 00000004.00000002.2563320507.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cipher.exe, 00000004.00000002.2563320507.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cipher.exe, 00000004.00000003.1964371083.0000000007A60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: cipher.exe, 00000004.00000002.2566567250.0000000007A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2567659913.0000000005FB6000.00000004.80000000.00040000.00000000.sdmp, cipher.exe, 00000004.00000002.2565056026.00000000054B6000.00000004.10000000.00040000.00000000.sdmp, cipher.exe, 00000004.00000002.2566471148.00000000077E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.rwilsss.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rwilsss.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2563154374.00000000006F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1789475310.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2564178771.0000000000DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1839152030.0000000005910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2564124185.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2564572270.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1791238666.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to call native functions

Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0042C873 NtClose,	1_2_0042C873
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2B60 NtClose,LdrInitializeThunk,	1_2_014F2B60
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_014F2DF0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_014F2C70
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F35C0 NtCreateMutant,LdrInitializeThunk,	1_2_014F35C0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F4340 NtSetContextThread,	1_2_014F4340
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F4650 NtSuspendThread,	1_2_014F4650
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2BE0 NtQueryValueKey,	1_2_014F2BE0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2BF0 NtAllocateVirtualMemory,	1_2_014F2BF0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2B80 NtQueryInformationFile,	1_2_014F2B80
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2BA0 NtEnumerateValueKey,	1_2_014F2BA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2AD0 NtReadFile,	1_2_014F2AD0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2AF0 NtWriteFile,	1_2_014F2AF0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2AB0 NtWaitForSingleObject,	1_2_014F2AB0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2D00 NtSetInformationFile,	1_2_014F2D00
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2D10 NtMapViewOfSection,	1_2_014F2D10
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2D30 NtUnmapViewOfSection,	1_2_014F2D30
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2DD0 NtDelayExecution,	1_2_014F2DD0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2DB0 NtEnumerateKey,	1_2_014F2DB0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2C60 NtCreateKey,	1_2_014F2C60
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2C00 NtQueryInformationProcess,	1_2_014F2C00
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2CC0 NtQueryVirtualMemory,	1_2_014F2CC0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2CF0 NtOpenProcess,	1_2_014F2CF0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2CA0 NtQueryInformationToken,	1_2_014F2CA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2F60 NtCreateProcessEx,	1_2_014F2F60
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2F30 NtCreateSection,	1_2_014F2F30
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2FE0 NtCreateFile,	1_2_014F2FE0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2F90 NtProtectVirtualMemory,	1_2_014F2F90
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2FA0 NtQuerySection,	1_2_014F2FA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2FB0 NtResumeThread,	1_2_014F2FB0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2E30 NtWriteVirtualMemory,	1_2_014F2E30
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2EE0 NtQueueApcThread,	1_2_014F2EE0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2E80 NtReadVirtualMemory,	1_2_014F2E80
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F2EA0 NtAdjustPrivilegesToken,	1_2_014F2EA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F3010 NtOpenDirectoryObject,	1_2_014F3010
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F3090 NtSetValueKey,	1_2_014F3090
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F39B0 NtGetContextThread,	1_2_014F39B0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F3D70 NtOpenThread,	1_2_014F3D70
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F3D10 NtOpenProcessToken,	1_2_014F3D10
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04984650 NtSuspendThread,LdrInitializeThunk,	4_2_04984650
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04984340 NtSetContextThread,LdrInitializeThunk,	4_2_04984340
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04982CA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04982C70
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982C60 NtCreateKey,LdrInitializeThunk,	4_2_04982C60
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04982DD0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04982DF0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04982D10
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04982D30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04982E80
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04982EE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982FB0 NtResumeThread,LdrInitializeThunk,	4_2_04982FB0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982FE0 NtCreateFile,LdrInitializeThunk,	4_2_04982FE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982F30 NtCreateSection,LdrInitializeThunk,	4_2_04982F30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982AD0 NtReadFile,LdrInitializeThunk,	4_2_04982AD0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982AF0 NtWriteFile,LdrInitializeThunk,	4_2_04982AF0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04982BA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04982BF0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04982BE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982B60 NtClose,LdrInitializeThunk,	4_2_04982B60
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049835C0 NtCreateMutant,LdrInitializeThunk,	4_2_049835C0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049839B0 NtGetContextThread,LdrInitializeThunk,	4_2_049839B0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982CC0 NtQueryVirtualMemory,	4_2_04982CC0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982CF0 NtOpenProcess,	4_2_04982CF0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982C00 NtQueryInformationProcess,	4_2_04982C00
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982DB0 NtEnumerateKey,	4_2_04982DB0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982D00 NtSetInformationFile,	4_2_04982D00
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982EA0 NtAdjustPrivilegesToken,	4_2_04982EA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982E30 NtWriteVirtualMemory,	4_2_04982E30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982F90 NtProtectVirtualMemory,	4_2_04982F90
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982FA0 NtQuerySection,	4_2_04982FA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982F60 NtCreateProcessEx,	4_2_04982F60
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982AB0 NtWaitForSingleObject,	4_2_04982AB0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04982B80 NtQueryInformationFile,	4_2_04982B80
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04983090 NtSetValueKey,	4_2_04983090
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04983010 NtOpenDirectoryObject,	4_2_04983010
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04983D10 NtOpenProcessToken,	4_2_04983D10
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04983D70 NtOpenThread,	4_2_04983D70
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00719190 NtCreateFile,	4_2_00719190
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00719300 NtReadFile,	4_2_00719300
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_007193F0 NtDeleteFile,	4_2_007193F0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00719490 NtClose,	4_2_00719490
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00719600 NtAllocateVirtualMemory,	4_2_00719600

Detected potential crypto function

Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_03004218	0_2_03004218
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_03006F93	0_2_03006F93
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_0300D584	0_2_0300D584
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE4FF9	0_2_07BE4FF9
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE3528	0_2_07BE3528
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE2C7D	0_2_07BE2C7D
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE4BD0	0_2_07BE4BD0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE30E0	0_2_07BE30E0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE5008	0_2_07BE5008
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004186F3	1_2_004186F3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004100C3	1_2_004100C3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040E0C3	1_2_0040E0C3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004168FE	1_2_004168FE
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00403160	1_2_00403160
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00416903	1_2_00416903
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004029D0	1_2_004029D0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040E20B	1_2_0040E20B
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040E213	1_2_0040E213
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00401C82	1_2_00401C82
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00401C90	1_2_00401C90
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00402660	1_2_00402660
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0041862E	1_2_0041862E
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040468D	1_2_0040468D
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040FEA3	1_2_0040FEA3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0042EEB3	1_2_0042EEB3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00404757	1_2_00404757
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01548158	1_2_01548158
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014B0100	1_2_014B0100
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0155A118	1_2_0155A118
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015781CC	1_2_015781CC
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015801AA	1_2_015801AA
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015741A2	1_2_015741A2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01552000	1_2_01552000
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157A352	1_2_0157A352
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014CE3F0	1_2_014CE3F0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015803E6	1_2_015803E6
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01560274	1_2_01560274
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015402C0	1_2_015402C0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C0535	1_2_014C0535
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01580591	1_2_01580591
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01572446	1_2_01572446
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01564420	1_2_01564420
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0156E4F6	1_2_0156E4F6
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014E4750	1_2_014E4750
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C0770	1_2_014C0770
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014BC7C0	1_2_014BC7C0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014DC6E0	1_2_014DC6E0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014D6962	1_2_014D6962
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C29A0	1_2_014C29A0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0158A9A6	1_2_0158A9A6
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014CA840	1_2_014CA840
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C2840	1_2_014C2840
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014EE8F0	1_2_014EE8F0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014A68B8	1_2_014A68B8
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157AB40	1_2_0157AB40
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01576BD7	1_2_01576BD7
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014BEA80	1_2_014BEA80
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0155CD1F	1_2_0155CD1F
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014CAD00	1_2_014CAD00
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014BADE0	1_2_014BADE0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014D8DBF	1_2_014D8DBF
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C0C00	1_2_014C0C00
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014B0CF2	1_2_014B0CF2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01560CB5	1_2_01560CB5
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01534F40	1_2_01534F40
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01562F30	1_2_01562F30
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01502F28	1_2_01502F28
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014E0F30	1_2_014E0F30
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014B2FC8	1_2_014B2FC8
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014CCFE0	1_2_014CCFE0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0153EFA0	1_2_0153EFA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C0E59	1_2_014C0E59
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157EE26	1_2_0157EE26
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157EEDB	1_2_0157EEDB
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157CE93	1_2_0157CE93
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014D2E90	1_2_014D2E90
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014F516C	1_2_014F516C
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0158B16B	1_2_0158B16B
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014AF172	1_2_014AF172
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014CB1B0	1_2_014CB1B0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C70C0	1_2_014C70C0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0156F0CC	1_2_0156F0CC
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157F0E0	1_2_0157F0E0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015770E9	1_2_015770E9
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014AD34C	1_2_014AD34C
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157132D	1_2_0157132D
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0150739A	1_2_0150739A
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014DB2C0	1_2_014DB2C0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015612ED	1_2_015612ED
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C52A0	1_2_014C52A0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01577571	1_2_01577571
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015895C3	1_2_015895C3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0155D5B0	1_2_0155D5B0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014B1460	1_2_014B1460
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157F43F	1_2_0157F43F
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157F7B0	1_2_0157F7B0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01505630	1_2_01505630
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_015716CC	1_2_015716CC
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C9950	1_2_014C9950
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014DB950	1_2_014DB950
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01555910	1_2_01555910
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0152D800	1_2_0152D800
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C38E0	1_2_014C38E0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157FB76	1_2_0157FB76
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01535BF0	1_2_01535BF0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014FDBF9	1_2_014FDBF9
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014DFB80	1_2_014DFB80
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01577A46	1_2_01577A46
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157FA49	1_2_0157FA49
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01533A6C	1_2_01533A6C
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0156DAC6	1_2_0156DAC6
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01505AA0	1_2_01505AA0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01561AA3	1_2_01561AA3
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0155DAAC	1_2_0155DAAC
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C3D40	1_2_014C3D40
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01571D5A	1_2_01571D5A
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01577D73	1_2_01577D73
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014DFDC0	1_2_014DFDC0
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01539C32	1_2_01539C32
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157FCF2	1_2_0157FCF2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157FF09	1_2_0157FF09
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01483FD2	1_2_01483FD2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_01483FD5	1_2_01483FD5
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C1F92	1_2_014C1F92
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0157FFB1	1_2_0157FFB1
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014C9EB0	1_2_014C9EB0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049FE4F6	4_2_049FE4F6
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F4420	4_2_049F4420
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A02446	4_2_04A02446
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A10591	4_2_04A10591
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04950535	4_2_04950535
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0496C6E0	4_2_0496C6E0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04974750	4_2_04974750
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04950770	4_2_04950770
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049E2000	4_2_049E2000
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A041A2	4_2_04A041A2
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A101AA	4_2_04A101AA
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A081CC	4_2_04A081CC
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049EA118	4_2_049EA118
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04940100	4_2_04940100
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049D8158	4_2_049D8158
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049D02C0	4_2_049D02C0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F0274	4_2_049F0274
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A103E6	4_2_04A103E6
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0495E3F0	4_2_0495E3F0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0A352	4_2_04A0A352
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F0CB5	4_2_049F0CB5
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04940CF2	4_2_04940CF2
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04950C00	4_2_04950C00
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04968DBF	4_2_04968DBF
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0494ADE0	4_2_0494ADE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049ECD1F	4_2_049ECD1F
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0495AD00	4_2_0495AD00
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04962E90	4_2_04962E90
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0CE93	4_2_04A0CE93
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0EEDB	4_2_04A0EEDB
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0EE26	4_2_04A0EE26
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04950E59	4_2_04950E59
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049CEFA0	4_2_049CEFA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04942FC8	4_2_04942FC8
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0495CFE0	4_2_0495CFE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04970F30	4_2_04970F30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F2F30	4_2_049F2F30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04992F28	4_2_04992F28
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049C4F40	4_2_049C4F40
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049368B8	4_2_049368B8
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0497E8F0	4_2_0497E8F0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04952840	4_2_04952840
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0495A840	4_2_0495A840
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A1A9A6	4_2_04A1A9A6
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049529A0	4_2_049529A0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04966962	4_2_04966962
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0494EA80	4_2_0494EA80
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A06BD7	4_2_04A06BD7
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0AB40	4_2_04A0AB40
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0F43F	4_2_04A0F43F
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04941460	4_2_04941460
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049ED5B0	4_2_049ED5B0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A195C3	4_2_04A195C3
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A07571	4_2_04A07571
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A016CC	4_2_04A016CC
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04995630	4_2_04995630
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0F7B0	4_2_04A0F7B0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0F0E0	4_2_04A0F0E0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A070E9	4_2_04A070E9
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049FF0CC	4_2_049FF0CC
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049570C0	4_2_049570C0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0495B1B0	4_2_0495B1B0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A1B16B	4_2_04A1B16B
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0493F172	4_2_0493F172
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0498516C	4_2_0498516C
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049552A0	4_2_049552A0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0496B2C0	4_2_0496B2C0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F12ED	4_2_049F12ED
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0499739A	4_2_0499739A
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0132D	4_2_04A0132D
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0493D34C	4_2_0493D34C
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0FCF2	4_2_04A0FCF2
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049C9C32	4_2_049C9C32
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0496FDC0	4_2_0496FDC0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A07D73	4_2_04A07D73
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04953D40	4_2_04953D40
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A01D5A	4_2_04A01D5A
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04959EB0	4_2_04959EB0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04951F92	4_2_04951F92
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0FFB1	4_2_04A0FFB1
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04913FD2	4_2_04913FD2
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04913FD5	4_2_04913FD5
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0FF09	4_2_04A0FF09
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049538E0	4_2_049538E0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049BD800	4_2_049BD800
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049E5910	4_2_049E5910
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04959950	4_2_04959950
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0496B950	4_2_0496B950
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049EDAAC	4_2_049EDAAC
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04995AA0	4_2_04995AA0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049F1AA3	4_2_049F1AA3
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049FDAC6	4_2_049FDAC6
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A07A46	4_2_04A07A46
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0FA49	4_2_04A0FA49
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049C3A6C	4_2_049C3A6C
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0496FB80	4_2_0496FB80
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0498DBF9	4_2_0498DBF9
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049C5BF0	4_2_049C5BF0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04A0FB76	4_2_04A0FB76
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00701C70	4_2_00701C70
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FCAC0	4_2_006FCAC0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FACE0	4_2_006FACE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FCCE0	4_2_006FCCE0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FAE28	4_2_006FAE28
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FAE30	4_2_006FAE30
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006F12AA	4_2_006F12AA
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006F1374	4_2_006F1374
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00705310	4_2_00705310
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00703520	4_2_00703520
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0070351B	4_2_0070351B
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0071BAD0	4_2_0071BAD0
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0466E4D4	4_2_0466E4D4
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0466E3B4	4_2_0466E3B4
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0466E877	4_2_0466E877
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0466D938	4_2_0466D938

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\rwilsss.exe	Code function: String function: 0153F290 appears 105 times
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: String function: 01507E54 appears 111 times
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: String function: 014AB970 appears 280 times
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: String function: 014F5130 appears 58 times
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: String function: 0152EA12 appears 86 times
Source: C:\Windows\SysWOW64\cipher.exe	Code function: String function: 0493B970 appears 280 times
Source: C:\Windows\SysWOW64\cipher.exe	Code function: String function: 04997E54 appears 111 times
Source: C:\Windows\SysWOW64\cipher.exe	Code function: String function: 049BEA12 appears 86 times
Source: C:\Windows\SysWOW64\cipher.exe	Code function: String function: 049CF290 appears 105 times
Source: C:\Windows\SysWOW64\cipher.exe	Code function: String function: 04985130 appears 58 times

Sample file is different than original file name gathered from version info

Source: rwilsss.exe, 00000000.00000000.1304055335.0000000000F0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVaxv.exe6 vs rwilsss.exe
Source: rwilsss.exe, 00000000.00000002.1333394173.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs rwilsss.exe
Source: rwilsss.exe, 00000000.00000002.1326939138.00000000013DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rwilsss.exe
Source: rwilsss.exe, 00000001.00000002.1789730108.0000000000F38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCIPHER.EXEj% vs rwilsss.exe
Source: rwilsss.exe, 00000001.00000002.1789941757.00000000015AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rwilsss.exe
Source: rwilsss.exe, 00000001.00000002.1789730108.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCIPHER.EXEj% vs rwilsss.exe
Source: rwilsss.exe	Binary or memory string: OriginalFilenameVaxv.exe6 vs rwilsss.exe

Uses 32bit PE files

Source: rwilsss.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rwilsss.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VymkIglRuaHFKZBAIp.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@15/3

Source: C:\Users\user\Desktop\rwilsss.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwilsss.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\rwilsss.exe "C:\Users\user\Desktop\rwilsss.exe"
Source: C:\Users\user\Desktop\rwilsss.exe	Process created: C:\Users\user\Desktop\rwilsss.exe "C:\Users\user\Desktop\rwilsss.exe"
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Process created: C:\Windows\SysWOW64\cipher.exe "C:\Windows\SysWOW64\cipher.exe"
Source: C:\Windows\SysWOW64\cipher.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rwilsss.exe	Process created: C:\Users\user\Desktop\rwilsss.exe "C:\Users\user\Desktop\rwilsss.exe"	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Process created: C:\Windows\SysWOW64\cipher.exe "C:\Windows\SysWOW64\cipher.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VymkIglRuaHFKZBAIp.cs	.Net Code: uU7WNU0dyN System.Reflection.Assembly.Load(byte[])
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VymkIglRuaHFKZBAIp.cs	.Net Code: uU7WNU0dyN System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE96E5 push FFFFFF8Bh; iretd	0_2_07BE96E7
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 0_2_07BE04A0 pushfd ; ret	0_2_07BE04A1
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00418DEE push ds; retf 581Dh	1_2_00418DA5
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00418046 push ds; ret	1_2_0041802E
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0041801D push ds; ret	1_2_0041802E
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00416023 push eax; iretd	1_2_00416037
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004119AD push es; retf	1_2_004119BC
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00415A6C push B3AF36F4h; retf	1_2_00415A71
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004033E0 push eax; ret	1_2_004033E2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_004183A1 push esp; iretd	1_2_004183A2
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00418C43 push ds; retf 581Dh	1_2_00418DA5
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_00415D55 push eax; ret	1_2_00415D60
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040D716 push B5AFD895h; iretd	1_2_0040D732
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0040D733 pushad ; ret	1_2_0040D74D
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0148225F pushad ; ret	1_2_014827F9
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014827FA pushad ; ret	1_2_014827F9
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_014B09AD push ecx; mov dword ptr [esp], ecx	1_2_014B09B6
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0148283D push eax; iretd	1_2_01482858
Source: C:\Users\user\Desktop\rwilsss.exe	Code function: 1_2_0148135E push eax; iretd	1_2_01481369
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049127FA pushad ; ret	4_2_049127F9
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0491225F pushad ; ret	4_2_049127F9
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0491283D push eax; iretd	4_2_04912858
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_049409AD push ecx; mov dword ptr [esp], ecx	4_2_049409B6
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_04911200 push eax; iretd	4_2_04911369
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FE19F push cs; iretd	4_2_006FE1A8
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00710488 push ss; ret	4_2_0071048A
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_0071051C push edx; retf	4_2_0071051D
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_006FE5CA push es; retf	4_2_006FE5D9
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00702689 push B3AF36F4h; retf	4_2_0070268E
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00704C63 push ds; ret	4_2_00704C4B
Source: C:\Windows\SysWOW64\cipher.exe	Code function: 4_2_00702C40 push eax; iretd	4_2_00702C54

Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VymkIglRuaHFKZBAIp.cs	High entropy of concatenated method names: 'fdAs6hhjkJ', 'IP0sodiJh7', 'v0CsHXVYEB', 'iYvsFlhuVC', 'pJZsulF3Dm', 'stdskhgyRo', 'VWospcQT3d', 'v7Iswfwi4U', 'HVLsbeYMaP', 'TAFsMjnkLl'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, OnMysNLFbSb5QwAC3Q.cs	High entropy of concatenated method names: 'Dispose', 'UMfOv2Pqsj', 'Yka0hS2GRS', 'nZ3VdUlpFk', 'LUwO8sWhdl', 'cQbOzBXR6M', 'ProcessDialogKey', 'KR40Jsf12L', 'aNd0OKYwdA', 'PHj00qpDAv'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, jpNNdKJJ1hFr3LgUtgo.cs	High entropy of concatenated method names: 'xy848nfxpy', 'AiL4ziKb6M', 'B97GJJephu', 'AXhGOmsgYP', 'BabG03D75f', 'GVXGsCp16p', 'Pl9GWxfGJP', 'u2ZG6tgJq7', 'vcaGoIAmwM', 'LGsGHbfDmY'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, eqbxTZJyciS1xf9lp0b.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RmGV78kFnV', 'whJV4fqfbe', 'FMLVGkeLns', 'WoOVV1hGQG', 'a49Vg4oCRM', 'tVFViwN2s2', 'YriVE5HsGf'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	High entropy of concatenated method names: 'ievHQkuEcF', 'zbqHt8TcZ7', 'nt9HeUJm0N', 'tmnHAQjxte', 'l8iHdLUWCK', 'FsgHxX4Zce', 'MuLHKytabO', 'VxRHrRfAeW', 'VmwHvIqCXL', 'KcsH8vL6vo'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, i3Njdl3CXLjpmBdJ3w.cs	High entropy of concatenated method names: 'ysfk6fj3hZ', 's0fkHT9I7m', 'CdnkuGpMTx', 'IhYkpA7Lv8', 'XEYkwq6awi', 'rldudLvN5V', 'WLduxNdOaC', 'yJOuKWoklT', 'xCnurY2BoF', 'k69uvWpDZ5'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, MEV1lhaVqPHXD3csOw.cs	High entropy of concatenated method names: 'yZIDc24pVb', 'MtqDlmSSPk', 'AgpD51oTvU', 'RsDDh2xcQJ', 'CM3DnKajmB', 'hKkDCK6Nco', 'BCBD1I6I3a', 'sBND20fnFY', 'RbxDYy9pvQ', 'F8WDTH23vd'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, obBW1w5pHtV0PamqJr.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WtI0vimTUQ', 'LeI08vpDgP', 'NGu0zpoj91', 'KqWsJeG6bD', 'OOgsOsfUTG', 'DkLs0Sf0gn', 'UAfssjr4QD', 'DBKTWsbCo0rTFfBnB2P'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, d5t3ZZdSPgAITYvHKH.cs	High entropy of concatenated method names: 'DSTZYTtlhd', 'UOXZSo8LT4', 'NWAZQ4Jlx5', 'snMZtYCiSJ', 'niBZhPxRxh', 'VxaZ3AISgl', 'pE7Zn8CJwg', 'cDIZCy1kyF', 'EbZZyknmFZ', 'X4jZ10hl1b'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, cTOGrkyaBeMZ8TG5B5.cs	High entropy of concatenated method names: 'JeROpD2CLU', 'u8jOwOBTHc', 'ShdOMMAYwc', 'kbHOPBVeuo', 'jbkOZvvS51', 'CTsOaQnjEm', 'hI4IYqF71kMV24scT8', 'YObQ8Sj3O1EpTVlinb', 'DISOOJtCdb', 'hrBOsNMRVR'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, ExSorQiXGXxCGIdqbB.cs	High entropy of concatenated method names: 'Plg75nD6Tb', 'e577hNb9gX', 'mlI73W3scG', 'KxM7njAXU9', 'rW87CoJdyG', 'eCB7yCqRp4', 'qQL71UO7gL', 'PEE725Q7dl', 'kZm7RZ5O6J', 'hfj7Y32nc7'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, z6mFim4BpxhscETyvU.cs	High entropy of concatenated method names: 'MMjNDQ1cY', 'UisXpQwFh', 'QP9jPlGbD', 'mb6qlQxJb', 'K6bliwdtQ', 'LENfaKTYo', 'al6U09YKIFq3uF2oOk', 'VyF7NDWOXKnvtLdYlf', 'PNDBXgSWI', 'kwZ4B3NbA'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, DOYSCepjRiuyCmCHml.cs	High entropy of concatenated method names: 'tNAUM7iDNZ', 'eHgUPmbIaq', 'ToString', 'wsQUotbgpj', 'aOLUHlFFCF', 'JgwUF1j9lh', 'camUu2hWTi', 'EdyUkfWhXm', 'gmFUpQdUSQ', 'FtAUwCC2L1'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, D1sF4PUHbEQO46e6kP.cs	High entropy of concatenated method names: 'K1VUrNQLdi', 'TRaU8XpO4A', 'Tc9BJst4QV', 'WGJBOgrxsX', 'nRxUTmRw3f', 'McqUSPg7YS', 'qDGUL6xwpp', 'YA6UQDxarb', 'xc4UtqT1N5', 'MGjUeImkJV'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, JiIKgUKZQ06uvI1n2T.cs	High entropy of concatenated method names: 'kqE4FjuBKD', 'OZy4uWnuNR', 'Wtl4ksWyZi', 'FLb4pGHve6', 'ki247coqUf', 'kgo4waKV16', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, EWKmYBjeAGS4vH2wGt.cs	High entropy of concatenated method names: 'cPPFXZHkdj', 'LJiFjk4jaY', 'eOPFcwZovK', 'xRRFlpNnCG', 'sf2FZJt5rg', 'nbPFaFtjBI', 'YLEFUHxhCA', 'ySsFBtDnvJ', 'N4wF7n5KNE', 'DBCF4eBibO'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, TkFvsr82CWWG31p0hb.cs	High entropy of concatenated method names: 'jixuIxnWic', 'RMquq1WBni', 'HTqF3tYOOP', 'jnRFnTw184', 'rqWFCwTs6W', 'P53FyFZja1', 'YDLF1p9n01', 'IEtF2FXxK5', 'z0LFRNytxT', 'qckFYQOGYB'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, tHeI2MOaATmMZ5REVL.cs	High entropy of concatenated method names: 'ToString', 'sZUaTZPrpG', 'UP1ahRofnB', 'L98a3lo2yh', 'XdlantZ3be', 'XwgaC2rxtK', 'RmIay6Zt7u', 'm5Ia1fycRR', 'OmIa2BERyJ', 'Gi7aRPKjrK'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, nBJGY3bHkXKSv1gm0K.cs	High entropy of concatenated method names: 'WgVpoBOwsP', 'iOupFncfD4', 'kgppkSFnoH', 'irAk8IHKkq', 'RAUkzqx9mC', 'C6wpJl2RGj', 'lUVpOk4ula', 'nRop0wD8pI', 'hjBpsDDevo', 'BXKpWVYQtq'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, VBVCP8cb6S9G4ikfis.cs	High entropy of concatenated method names: 'FEu7ZmjvAG', 'AdT7UjLOHT', 'tVg77EqbUg', 'Vbi7GlVmXF', 'tq57gAOnk3', 'aQH7E09wP1', 'Dispose', 'uqNBo5jj0N', 'YV8BHsvAyv', 'c1CBFaZ0RD'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, eIrXP1zeobAMVnoNhY.cs	High entropy of concatenated method names: 'iUL4jcEvth', 'Gci4c679Ix', 'Pvx4lcC27p', 'lR345GTYhu', 'MPK4hmZNqn', 'fpY4nNErPE', 'lBp4CN7IiX', 'G5h4EPmnqr', 'ex94mOpZSn', 'b9M49BRJIW'
Source: 0.2.rwilsss.exe.43ef4e8.3.raw.unpack, DrJRnExJedChmjJHv5.cs	High entropy of concatenated method names: 'HqjpmiCLlD', 'mXjp9qwAtI', 'j7DpNMPWHU', 'xEbpXHBd6I', 'wgFpIIJTtS', 'KuHpj4rVGF', 'reFpqJdDfh', 'XX4pcCx6vb', 'KX1plf32nE', 'vSjpfIagaX'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VymkIglRuaHFKZBAIp.cs	High entropy of concatenated method names: 'fdAs6hhjkJ', 'IP0sodiJh7', 'v0CsHXVYEB', 'iYvsFlhuVC', 'pJZsulF3Dm', 'stdskhgyRo', 'VWospcQT3d', 'v7Iswfwi4U', 'HVLsbeYMaP', 'TAFsMjnkLl'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, OnMysNLFbSb5QwAC3Q.cs	High entropy of concatenated method names: 'Dispose', 'UMfOv2Pqsj', 'Yka0hS2GRS', 'nZ3VdUlpFk', 'LUwO8sWhdl', 'cQbOzBXR6M', 'ProcessDialogKey', 'KR40Jsf12L', 'aNd0OKYwdA', 'PHj00qpDAv'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, jpNNdKJJ1hFr3LgUtgo.cs	High entropy of concatenated method names: 'xy848nfxpy', 'AiL4ziKb6M', 'B97GJJephu', 'AXhGOmsgYP', 'BabG03D75f', 'GVXGsCp16p', 'Pl9GWxfGJP', 'u2ZG6tgJq7', 'vcaGoIAmwM', 'LGsGHbfDmY'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, eqbxTZJyciS1xf9lp0b.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RmGV78kFnV', 'whJV4fqfbe', 'FMLVGkeLns', 'WoOVV1hGQG', 'a49Vg4oCRM', 'tVFViwN2s2', 'YriVE5HsGf'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, HXDsCMhO9mjgsMCmtf.cs	High entropy of concatenated method names: 'ievHQkuEcF', 'zbqHt8TcZ7', 'nt9HeUJm0N', 'tmnHAQjxte', 'l8iHdLUWCK', 'FsgHxX4Zce', 'MuLHKytabO', 'VxRHrRfAeW', 'VmwHvIqCXL', 'KcsH8vL6vo'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, i3Njdl3CXLjpmBdJ3w.cs	High entropy of concatenated method names: 'ysfk6fj3hZ', 's0fkHT9I7m', 'CdnkuGpMTx', 'IhYkpA7Lv8', 'XEYkwq6awi', 'rldudLvN5V', 'WLduxNdOaC', 'yJOuKWoklT', 'xCnurY2BoF', 'k69uvWpDZ5'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, MEV1lhaVqPHXD3csOw.cs	High entropy of concatenated method names: 'yZIDc24pVb', 'MtqDlmSSPk', 'AgpD51oTvU', 'RsDDh2xcQJ', 'CM3DnKajmB', 'hKkDCK6Nco', 'BCBD1I6I3a', 'sBND20fnFY', 'RbxDYy9pvQ', 'F8WDTH23vd'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, obBW1w5pHtV0PamqJr.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WtI0vimTUQ', 'LeI08vpDgP', 'NGu0zpoj91', 'KqWsJeG6bD', 'OOgsOsfUTG', 'DkLs0Sf0gn', 'UAfssjr4QD', 'DBKTWsbCo0rTFfBnB2P'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, d5t3ZZdSPgAITYvHKH.cs	High entropy of concatenated method names: 'DSTZYTtlhd', 'UOXZSo8LT4', 'NWAZQ4Jlx5', 'snMZtYCiSJ', 'niBZhPxRxh', 'VxaZ3AISgl', 'pE7Zn8CJwg', 'cDIZCy1kyF', 'EbZZyknmFZ', 'X4jZ10hl1b'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, cTOGrkyaBeMZ8TG5B5.cs	High entropy of concatenated method names: 'JeROpD2CLU', 'u8jOwOBTHc', 'ShdOMMAYwc', 'kbHOPBVeuo', 'jbkOZvvS51', 'CTsOaQnjEm', 'hI4IYqF71kMV24scT8', 'YObQ8Sj3O1EpTVlinb', 'DISOOJtCdb', 'hrBOsNMRVR'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, ExSorQiXGXxCGIdqbB.cs	High entropy of concatenated method names: 'Plg75nD6Tb', 'e577hNb9gX', 'mlI73W3scG', 'KxM7njAXU9', 'rW87CoJdyG', 'eCB7yCqRp4', 'qQL71UO7gL', 'PEE725Q7dl', 'kZm7RZ5O6J', 'hfj7Y32nc7'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, z6mFim4BpxhscETyvU.cs	High entropy of concatenated method names: 'MMjNDQ1cY', 'UisXpQwFh', 'QP9jPlGbD', 'mb6qlQxJb', 'K6bliwdtQ', 'LENfaKTYo', 'al6U09YKIFq3uF2oOk', 'VyF7NDWOXKnvtLdYlf', 'PNDBXgSWI', 'kwZ4B3NbA'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, DOYSCepjRiuyCmCHml.cs	High entropy of concatenated method names: 'tNAUM7iDNZ', 'eHgUPmbIaq', 'ToString', 'wsQUotbgpj', 'aOLUHlFFCF', 'JgwUF1j9lh', 'camUu2hWTi', 'EdyUkfWhXm', 'gmFUpQdUSQ', 'FtAUwCC2L1'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, D1sF4PUHbEQO46e6kP.cs	High entropy of concatenated method names: 'K1VUrNQLdi', 'TRaU8XpO4A', 'Tc9BJst4QV', 'WGJBOgrxsX', 'nRxUTmRw3f', 'McqUSPg7YS', 'qDGUL6xwpp', 'YA6UQDxarb', 'xc4UtqT1N5', 'MGjUeImkJV'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, JiIKgUKZQ06uvI1n2T.cs	High entropy of concatenated method names: 'kqE4FjuBKD', 'OZy4uWnuNR', 'Wtl4ksWyZi', 'FLb4pGHve6', 'ki247coqUf', 'kgo4waKV16', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, EWKmYBjeAGS4vH2wGt.cs	High entropy of concatenated method names: 'cPPFXZHkdj', 'LJiFjk4jaY', 'eOPFcwZovK', 'xRRFlpNnCG', 'sf2FZJt5rg', 'nbPFaFtjBI', 'YLEFUHxhCA', 'ySsFBtDnvJ', 'N4wF7n5KNE', 'DBCF4eBibO'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, TkFvsr82CWWG31p0hb.cs	High entropy of concatenated method names: 'jixuIxnWic', 'RMquq1WBni', 'HTqF3tYOOP', 'jnRFnTw184', 'rqWFCwTs6W', 'P53FyFZja1', 'YDLF1p9n01', 'IEtF2FXxK5', 'z0LFRNytxT', 'qckFYQOGYB'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, tHeI2MOaATmMZ5REVL.cs	High entropy of concatenated method names: 'ToString', 'sZUaTZPrpG', 'UP1ahRofnB', 'L98a3lo2yh', 'XdlantZ3be', 'XwgaC2rxtK', 'RmIay6Zt7u', 'm5Ia1fycRR', 'OmIa2BERyJ', 'Gi7aRPKjrK'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, nBJGY3bHkXKSv1gm0K.cs	High entropy of concatenated method names: 'WgVpoBOwsP', 'iOupFncfD4', 'kgppkSFnoH', 'irAk8IHKkq', 'RAUkzqx9mC', 'C6wpJl2RGj', 'lUVpOk4ula', 'nRop0wD8pI', 'hjBpsDDevo', 'BXKpWVYQtq'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, VBVCP8cb6S9G4ikfis.cs	High entropy of concatenated method names: 'FEu7ZmjvAG', 'AdT7UjLOHT', 'tVg77EqbUg', 'Vbi7GlVmXF', 'tq57gAOnk3', 'aQH7E09wP1', 'Dispose', 'uqNBo5jj0N', 'YV8BHsvAyv', 'c1CBFaZ0RD'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, eIrXP1zeobAMVnoNhY.cs	High entropy of concatenated method names: 'iUL4jcEvth', 'Gci4c679Ix', 'Pvx4lcC27p', 'lR345GTYhu', 'MPK4hmZNqn', 'fpY4nNErPE', 'lBp4CN7IiX', 'G5h4EPmnqr', 'ex94mOpZSn', 'b9M49BRJIW'
Source: 0.2.rwilsss.exe.7b30000.7.raw.unpack, DrJRnExJedChmjJHv5.cs	High entropy of concatenated method names: 'HqjpmiCLlD', 'mXjp9qwAtI', 'j7DpNMPWHU', 'xEbpXHBd6I', 'wgFpIIJTtS', 'KuHpj4rVGF', 'reFpqJdDfh', 'XX4pcCx6vb', 'KX1plf32nE', 'vSjpfIagaX'

Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\cipher.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: 3000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: 5170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: A370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Memory allocated: B370000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rwilsss.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cipher.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\rwilsss.exe TID: 8076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe TID: 5652	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe TID: 7876	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe TID: 7876	Thread sleep time: -268000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe TID: 7876	Thread sleep count: 9839 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe TID: 7876	Thread sleep time: -19678000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cipher.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cipher.exe	Last function: Thread delayed

Source: firefox.exe, 00000007.00000002.2081099015.000001FAEAFBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2563770174.0000000001158000.00000004.00000020.00020000.00000000.sdmp, cipher.exe, 00000004.00000002.2563320507.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rwilsss.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtCreateFile: Direct from: 0x77752FEC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtOpenFile: Direct from: 0x77752DCC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtSetInformationThread: Direct from: 0x777463F9	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQueryInformationToken: Direct from: 0x77752CAC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtTerminateThread: Direct from: 0x77752FCC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtSetInformationProcess: Direct from: 0x77752C5C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtNotifyChangeKey: Direct from: 0x77753C2C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtOpenKeyEx: Direct from: 0x77752B9C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtOpenSection: Direct from: 0x77752E0C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtProtectVirtualMemory: Direct from: 0x77747B2E	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQuerySystemInformation: Direct from: 0x777548CC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtCreateUserProcess: Direct from: 0x7775371C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtWriteVirtualMemory: Direct from: 0x7775490C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQueryInformationProcess: Direct from: 0x77752C26	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtResumeThread: Direct from: 0x77752FBC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtCreateKey: Direct from: 0x77752C6C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtReadVirtualMemory: Direct from: 0x77752E8C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtSetInformationThread: Direct from: 0x77752B4C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQueryAttributesFile: Direct from: 0x77752E6C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtCreateMutant: Direct from: 0x777535CC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtMapViewOfSection: Direct from: 0x77752D1C	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtResumeThread: Direct from: 0x777536AC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtReadFile: Direct from: 0x77752ADC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtQuerySystemInformation: Direct from: 0x77752DFC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtDelayExecution: Direct from: 0x77752DDC	Jump to behavior
Source: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC	Jump to behavior

Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: NULL target: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\rwilsss.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cipher.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: NULL target: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: NULL target: C:\Program Files (x86)\HMmyAJwmsdHStRLvkEUXapVqdJhAMrBqiJHYgTKOappQiUXvkZWEjRTRwDALj\956BZGpkmvZDS0Ds.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2564192142.00000000016C0000.00000002.00000001.00040000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000000.1709378622.00000000016C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2564192142.00000000016C0000.00000002.00000001.00040000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000000.1709378622.00000000016C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2564192142.00000000016C0000.00000002.00000001.00040000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000000.1709378622.00000000016C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 956BZGpkmvZDS0Ds.exe, 00000003.00000002.2564192142.00000000016C0000.00000002.00000001.00040000.00000000.sdmp, 956BZGpkmvZDS0Ds.exe, 00000003.00000000.1709378622.00000000016C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cipher.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
103.224.182.242	www.greyareaclothing.store	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
172.64.80.1	www.link6-tesla-nd6.xyz	United States	13335	CLOUDFLARENETUS	true
104.166.91.35	www.hellosweetie.net	United States	46261	QUICKPACKETUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.greyareaclothing.store/hnau/?qNfTm=It7h28&fR=ff1YCXiTWW4cronbiq9MGdiWlqGOzdA8w4Ki7N0QaK1i9QkYzKHUVEZHk15HQFwSEDwxmz8E4etY1UkfuJt9MSgwr7jqtLW+NVd7ppd4VdPtV/YghcXnRLg=	false	Avira URL Cloud: malware	unknown
http://www.hellosweetie.net/e7k4/	true	Avira URL Cloud: malware	unknown
http://www.link6-tesla-nd6.xyz/swvy/	true	Avira URL Cloud: safe	unknown
http://www.link6-tesla-nd6.xyz/swvy/?fR=XmKRY/t03EXKotfV27rpDi4Y7n4N3D4pVt6OywdHmo1/t4zPfsyxQcTruN1gdpMmfgSMn23VTjbybs3ZENJsdIgpWTI6AOV1xHSAMA6v7RrhmW1TPsqc/lc=&qNfTm=It7h28	true	Avira URL Cloud: safe	unknown
http://www.hellosweetie.net/e7k4/?fR=PCaq+8SJhdNev9S780c3MbnLxcb9xrw0LZhyuWsfCuz+E7fQV66LHSkbKMkqmntN/Wo7RToQsXo9VJ/le6MACc/ER0UdFwyMaQgiHOq8F/NNUaNt2b5IJfg=&qNfTm=It7h28	true	Avira URL Cloud: malware	unknown

ID:	1650112
Product:	CloudBasic
Start time:	13:30:28
Start date:	27.03.2025
Sample:	rwilsss.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0ad858f5d7afc96924fb09dce7fc64c5
SHA1:	ec5d9ef1295313778a2fc53d49b58b2c52ecbf18
SHA256:	3a150034f743320c85c890a29755032d9f850d0da9848c7a96c63bd2690e3495
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report rwilsss.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rwilsss.exe

Malware Threat Intel
Provided by

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwilsss.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\DBz1OY4KN	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	2791D27717CAB5981A0EA5AD07EE6B64	1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75	A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F