Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO 56720012359.exe

Overview

General Information

Sample Name:PO 56720012359.exe
Analysis ID:483537
MD5:839c75a88734aaf014ef0c3d77ce9109
SHA1:10d79cb8e51fd30bfff63b2465ba0e111f6dd500
SHA256:1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PO 56720012359.exe (PID: 2600 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)
    • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO 56720012359.exe (PID: 1392 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6324 cmdline: /c del 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x66c9:$sqlite3step: 68 34 1C 7B E1
    • 0x67dc:$sqlite3step: 68 34 1C 7B E1
    • 0x66f8:$sqlite3text: 68 38 2A 90 C5
    • 0x681d:$sqlite3text: 68 38 2A 90 C5
    • 0x670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6833:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO 56720012359.exe.2d10000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO 56720012359.exe.2d10000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO 56720012359.exe.2d10000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        3.2.PO 56720012359.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.PO 56720012359.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO 56720012359.exeVirustotal: Detection: 50%Perma Link
          Source: PO 56720012359.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.allfyllofficial.com/b6cu/Avira URL Cloud: Label: malware
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.PO 56720012359.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO 56720012359.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO 56720012359.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
          Source: Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 156.252.96.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fmodesign.com
          Source: C:\Windows\explorer.exeDomain query: www.healthy-shack.com
          Source: C:\Windows\explorer.exeDomain query: www.arerasols.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.81.100.18 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.44.148 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mobilewz.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.252.68.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.stuntfighting.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.allfyllofficial.com/b6cu/
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 06:36:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/display.cfm
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/px.js?ch=1
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/px.js?ch=2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/user
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX
          Source: unknownDNS traffic detected: queries for: www.stuntfighting.com
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: PO 56720012359.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B2FCD1_2_008B2FCD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008BB81D1_2_008BB81D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008BA8511_2_008BA851
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B90721_2_008B9072
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B95E41_2_008B95E4
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B8B001_2_008B8B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B795C1_2_008B795C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C8243_2_0041C824
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B9D33_2_0041B9D3
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C2543_2_0041C254
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041CBD23_2_0041CBD2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00408C6B3_2_00408C6B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041CEBE3_2_0041CEBE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041BF723_2_0041BF72
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B7313_2_0041B731
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008BB81D3_2_008BB81D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008BA8513_2_008BA851
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B90723_2_008B9072
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B795C3_2_008B795C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B8B003_2_008B8B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B95E43_2_008B95E4
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B2FCD3_2_008B2FCD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013041203_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EF9003_2_012EF900
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A10023_2_013A1002
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A03_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B20A83_2_013B20A8
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB0903_2_012FB090
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B28EC3_2_013B28EC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2B283_2_013B2B28
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131EBB03_2_0131EBB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013ADBD23_2_013ADBD2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B22AE3_2_013B22AE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E0D203_2_012E0D20
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2D073_2_013B2D07
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B1D553_2_013B1D55
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013125813_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FD5E03_2_012FD5E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B25DD3_2_013B25DD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F841F3_2_012F841F
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AD4663_2_013AD466
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B1FF13_2_013B1FF1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01306E303_2_01306E30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AD6163_2_013AD616
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2EF73_2_013B2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05320D2016_2_05320D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2D0716_2_053F2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F1D5516_2_053F1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535258116_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533D5E016_2_0533D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F25DD16_2_053F25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533841F16_2_0533841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053ED46616_2_053ED466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F1FF116_2_053F1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053FDFCE16_2_053FDFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05346E3016_2_05346E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053ED61616_2_053ED616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2EF716_2_053F2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534412016_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532F90016_2_0532F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A83016_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053FE82416_2_053FE824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E100216_2_053E1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A016_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F20A816_2_053F20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B09016_2_0533B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F28EC16_2_053F28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2B2816_2_053F2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AB4016_2_0534AB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535EBB016_2_0535EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E03DA16_2_053E03DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EDBD216_2_053EDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053DFA2B16_2_053DFA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F22AE16_2_053F22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC82416_2_00DDC824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB9D316_2_00DDB9D3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC25416_2_00DDC254
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC8C7016_2_00DC8C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC8C6B16_2_00DC8C6B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC2D9016_2_00DC2D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC2FB016_2_00DC2FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDBF7216_2_00DDBF72
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB73116_2_00DDB731
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 008B3B40 appears 42 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 012EB150 appears 35 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 008B42A1 appears 32 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0532B150 appears 66 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004181D0 NtCreateFile,3_2_004181D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00418280 NtReadFile,3_2_00418280
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00418300 NtClose,3_2_00418300
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,3_2_004183B0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004181CA NtCreateFile,3_2_004181CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041827A NtReadFile,3_2_0041827A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004182CA NtReadFile,3_2_004182CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004182FA NtClose,3_2_004182FA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004183AB NtAllocateVirtualMemory,3_2_004183AB
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01329910
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013299A0 NtCreateSection,LdrInitializeThunk,3_2_013299A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01329860
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329840 NtDelayExecution,LdrInitializeThunk,3_2_01329840
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_013298F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A20 NtResumeThread,LdrInitializeThunk,3_2_01329A20
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01329A00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A50 NtCreateFile,LdrInitializeThunk,3_2_01329A50
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329540 NtReadFile,LdrInitializeThunk,3_2_01329540
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013295D0 NtClose,LdrInitializeThunk,3_2_013295D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329710 NtQueryInformationToken,LdrInitializeThunk,3_2_01329710
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_013297A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329780 NtMapViewOfSection,LdrInitializeThunk,3_2_01329780
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329FE0 NtCreateMutant,LdrInitializeThunk,3_2_01329FE0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01329660
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013296E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329950 NtQueueApcThread,3_2_01329950
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013299D0 NtCreateProcessEx,3_2_013299D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329820 NtEnumerateKey,3_2_01329820
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132B040 NtSuspendThread,3_2_0132B040
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013298A0 NtWriteVirtualMemory,3_2_013298A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329B00 NtSetValueKey,3_2_01329B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A3B0 NtGetContextThread,3_2_0132A3B0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A10 NtQuerySection,3_2_01329A10
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A80 NtOpenDirectoryObject,3_2_01329A80
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132AD30 NtSetContextThread,3_2_0132AD30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329520 NtWaitForSingleObject,3_2_01329520
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329560 NtWriteFile,3_2_01329560
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013295F0 NtQueryInformationFile,3_2_013295F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329730 NtQueryVirtualMemory,3_2_01329730
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A710 NtOpenProcessToken,3_2_0132A710
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A770 NtOpenThread,3_2_0132A770
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329770 NtSetInformationFile,3_2_01329770
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329760 NtOpenProcess,3_2_01329760
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329610 NtEnumerateValueKey,3_2_01329610
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329670 NtQueryInformationProcess,3_2_01329670
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329650 NtQueryValueKey,3_2_01329650
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013296D0 NtCreateKey,3_2_013296D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369540 NtReadFile,LdrInitializeThunk,16_2_05369540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053695D0 NtClose,LdrInitializeThunk,16_2_053695D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369710 NtQueryInformationToken,LdrInitializeThunk,16_2_05369710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369780 NtMapViewOfSection,LdrInitializeThunk,16_2_05369780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369FE0 NtCreateMutant,LdrInitializeThunk,16_2_05369FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_05369660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369650 NtQueryValueKey,LdrInitializeThunk,16_2_05369650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053696E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_053696E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053696D0 NtCreateKey,LdrInitializeThunk,16_2_053696D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_05369910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053699A0 NtCreateSection,LdrInitializeThunk,16_2_053699A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369860 NtQuerySystemInformation,LdrInitializeThunk,16_2_05369860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369840 NtDelayExecution,LdrInitializeThunk,16_2_05369840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A50 NtCreateFile,LdrInitializeThunk,16_2_05369A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536AD30 NtSetContextThread,16_2_0536AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369520 NtWaitForSingleObject,16_2_05369520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369560 NtWriteFile,16_2_05369560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053695F0 NtQueryInformationFile,16_2_053695F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369730 NtQueryVirtualMemory,16_2_05369730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A710 NtOpenProcessToken,16_2_0536A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A770 NtOpenThread,16_2_0536A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369770 NtSetInformationFile,16_2_05369770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369760 NtOpenProcess,16_2_05369760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053697A0 NtUnmapViewOfSection,16_2_053697A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369610 NtEnumerateValueKey,16_2_05369610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369670 NtQueryInformationProcess,16_2_05369670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369950 NtQueueApcThread,16_2_05369950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053699D0 NtCreateProcessEx,16_2_053699D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369820 NtEnumerateKey,16_2_05369820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536B040 NtSuspendThread,16_2_0536B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053698A0 NtWriteVirtualMemory,16_2_053698A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053698F0 NtReadVirtualMemory,16_2_053698F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369B00 NtSetValueKey,16_2_05369B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A3B0 NtGetContextThread,16_2_0536A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A20 NtResumeThread,16_2_05369A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A10 NtQuerySection,16_2_05369A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A00 NtProtectVirtualMemory,16_2_05369A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A80 NtOpenDirectoryObject,16_2_05369A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD81D0 NtCreateFile,16_2_00DD81D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD8280 NtReadFile,16_2_00DD8280
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD83B0 NtAllocateVirtualMemory,16_2_00DD83B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD8300 NtClose,16_2_00DD8300
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD81CA NtCreateFile,16_2_00DD81CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD82CA NtReadFile,16_2_00DD82CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD82FA NtClose,16_2_00DD82FA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD827A NtReadFile,16_2_00DD827A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD83AB NtAllocateVirtualMemory,16_2_00DD83AB
          Source: PO 56720012359.exe, 00000001.00000003.247597225.0000000002FFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
          Source: PO 56720012359.exe, 00000003.00000002.329509813.000000000156F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
          Source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs PO 56720012359.exe
          Source: PO 56720012359.exeVirustotal: Detection: 50%
          Source: PO 56720012359.exeReversingLabs: Detection: 40%
          Source: PO 56720012359.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO 56720012359.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@8/5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,1_2_008B1450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,3_2_008B1450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,1_2_008B1450
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO 56720012359.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
          Source: Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B3B85 push ecx; ret 1_2_008B3B98
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00416087 push cs; ret 3_2_0041608A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B9CF push edi; ret 3_2_0041B9D1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C9D1 push es; ret 3_2_0041C9D3
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00415262 push esp; iretd 3_2_00415263
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B3C5 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B47C push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B412 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B41B push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00414FB9 pushad ; ret 3_2_00414FBF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B3B85 push ecx; ret 3_2_008B3B98
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0133D0D1 push ecx; ret 3_2_0133D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0537D0D1 push ecx; ret 16_2_0537D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD6087 push cs; ret 16_2_00DD608A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC9D1 push es; ret 16_2_00DDC9D3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB9CF push edi; ret 16_2_00DDB9D1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD5262 push esp; iretd 16_2_00DD5263
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB3C5 push eax; ret 16_2_00DDB418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB47C push eax; ret 16_2_00DDB482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB41B push eax; ret 16_2_00DDB482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB412 push eax; ret 16_2_00DDB418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD4FB9 pushad ; ret 16_2_00DD4FBF