Play interactive tour

Edit tour

Windows Analysis Report PO 56720012359.exe

Overview

General Information

Sample Name:	PO 56720012359.exe
Analysis ID:	483537
MD5:	839c75a88734aaf014ef0c3d77ce9109
SHA1:	10d79cb8e51fd30bfff63b2465ba0e111f6dd500
SHA256:	1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Self deletion via cmd delete

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

PO 56720012359.exe (PID: 2600 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PO 56720012359.exe (PID: 1392 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cmd.exe (PID: 6324 cmdline: /c del 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x66c9:$sqlite3step: 68 34 1C 7B E1 0x67dc:$sqlite3step: 68 34 1C 7B E1 0x66f8:$sqlite3text: 68 38 2A 90 C5 0x681d:$sqlite3text: 68 38 2A 90 C5 0x670b:$sqlite3blob: 68 53 D8 7F 8C 0x6833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x66c9:$sqlite3step: 68 34 1C 7B E1 0x67dc:$sqlite3step: 68 34 1C 7B E1 0x66f8:$sqlite3text: 68 38 2A 90 C5 0x681d:$sqlite3text: 68 38 2A 90 C5 0x670b:$sqlite3blob: 68 53 D8 7F 8C 0x6833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.PO 56720012359.exe.2d10000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO 56720012359.exe.2d10000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO 56720012359.exe.2d10000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.2.PO 56720012359.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PO 56720012359.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PO 56720012359.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO 56720012359.exe.2d10000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO 56720012359.exe.2d10000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO 56720012359.exe.2d10000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
3.2.PO 56720012359.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PO 56720012359.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PO 56720012359.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO 56720012359.exe	Virustotal: Detection: 50%			Perma Link
Source: PO 56720012359.exe	ReversingLabs: Detection: 40%

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.allfyllofficial.com/b6cu/

Avira URL Cloud: Label: malware

Source: 1.2.PO 56720012359.exe.2d10000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.PO 56720012359.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO 56720012359.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO 56720012359.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
Source:	Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 156.252.96.170 80
Source: C:\Windows\explorer.exe	Domain query: www.fmodesign.com
Source: C:\Windows\explorer.exe	Domain query: www.healthy-shack.com
Source: C:\Windows\explorer.exe	Domain query: www.arerasols.com
Source: C:\Windows\explorer.exe	Network Connect: 154.81.100.18 80
Source: C:\Windows\explorer.exe	Network Connect: 107.180.44.148 80
Source: C:\Windows\explorer.exe	Domain query: www.mobilewz.com
Source: C:\Windows\explorer.exe	Network Connect: 23.252.68.226 80
Source: C:\Windows\explorer.exe	Domain query: www.stuntfighting.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.allfyllofficial.com/b6cu/

Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 06:36:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/display.cfm
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/px.js?ch=1
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/px.js?ch=2
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.2
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/arrow.png)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libgh.png)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	String found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	String found in binary or memory: http://www.mobilewz.com/
Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	String found in binary or memory: http://www.mobilewz.com/user
Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	String found in binary or memory: http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX

Source: unknown

DNS traffic detected: queries for: www.stuntfighting.com

Source: global traffic	HTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: PO 56720012359.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B2FCD
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008BB81D
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008BA851
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B9072
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B95E4
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B8B00
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B795C
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041C824
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B9D3
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041C254
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041CBD2
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00408C6B
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00408C70
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041CEBE
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041BF72
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B731
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008BB81D
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008BA851
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B9072
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B795C
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B8B00
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B95E4
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B2FCD
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EF900
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1002
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B20A8
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FB090
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B28EC
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B2B28
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131EBB0
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013ADBD2
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B22AE
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E0D20
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B2D07
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B1D55
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312581
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FD5E0
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B25DD
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F841F
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AD466
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B1FF1
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01306E30
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AD616
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B2EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05320D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F2D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F1D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533D5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F25DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053ED466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F1FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053FDFCE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05346E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053ED616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F2EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534A830
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053FE824
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F20A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533B090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F28EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F2B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535EBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E03DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EDBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053DFA2B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F22AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDC824
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB9D3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDC254
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DC8C70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DC8C6B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DC2D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DC2FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDBF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB731

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: String function: 008B3B40 appears 42 times
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: String function: 012EB150 appears 35 times
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: String function: 008B42A1 appears 32 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0532B150 appears 66 times

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004181D0 NtCreateFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00418280 NtReadFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00418300 NtClose,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004183B0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004181CA NtCreateFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041827A NtReadFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004182CA NtReadFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004182FA NtClose,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_004183AB NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013299A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013295D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329950 NtQueueApcThread,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013299D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329820 NtEnumerateKey,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132B040 NtSuspendThread,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013298A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329B00 NtSetValueKey,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329A10 NtQuerySection,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329560 NtWriteFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013295F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132A770 NtOpenThread,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329770 NtSetInformationFile,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329760 NtOpenProcess,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01329650 NtQueryValueKey,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013296D0 NtCreateKey,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0536AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369560 NtWriteFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0536A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0536A770 NtOpenThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369760 NtOpenProcess,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0536B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0536A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369A20 NtResumeThread,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369A10 NtQuerySection,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05369A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD81D0 NtCreateFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD8280 NtReadFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD83B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD8300 NtClose,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD81CA NtCreateFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD82CA NtReadFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD82FA NtClose,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD827A NtReadFile,
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD83AB NtAllocateVirtualMemory,

Source: PO 56720012359.exe, 00000001.00000003.247597225.0000000002FFF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
Source: PO 56720012359.exe, 00000003.00000002.329509813.000000000156F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
Source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs PO 56720012359.exe

Source: PO 56720012359.exe	Virustotal: Detection: 50%
Source: PO 56720012359.exe	ReversingLabs: Detection: 40%

Source: PO 56720012359.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO 56720012359.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Users\user\Desktop\PO 56720012359.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 56720012359.exe	Process created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 56720012359.exe	Process created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/0@8/5

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO 56720012359.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO 56720012359.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: PO 56720012359.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
Source:	Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp

Source: PO 56720012359.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO 56720012359.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO 56720012359.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO 56720012359.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO 56720012359.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B3B85 push ecx; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00416087 push cs; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B9CF push edi; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041C9D1 push es; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00415262 push esp; iretd
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B3C5 push eax; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B47C push eax; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B412 push eax; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0041B41B push eax; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_00414FB9 pushad ; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B3B85 push ecx; ret
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0133D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0537D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD6087 push cs; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDC9D1 push es; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB9CF push edi; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD5262 push esp; iretd
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB3C5 push eax; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB47C push eax; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB41B push eax; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DDB412 push eax; ret
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00DD4FB9 pushad ; ret

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (15).png

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cscript.exe	Process created: /c del 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Windows\SysWOW64\cscript.exe	Process created: /c del 'C:\Users\user\Desktop\PO 56720012359.exe'

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B2FCD RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PO 56720012359.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO 56720012359.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000DC85F4 second address: 0000000000DC85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000DC898E second address: 0000000000DC8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\cscript.exe TID: 6476

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 3_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\PO 56720012359.exe

Process information queried: ProcessInformation

Source: explorer.exe, 00000005.00000000.315506357.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.273233836.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: cscript.exe, 00000010.00000002.508575985.000000000365E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.272485902.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000005.00000000.278989155.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.289003104.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.278989155.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B4E99 _memset,IsDebuggerPresent,

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B5AC5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B10B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 3_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\PO 56720012359.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01304120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013669A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013741E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01300050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01300050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013290AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01363884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01363884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01313B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01313B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0139D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013653CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013653CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01324A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01324A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01303A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0132927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0139B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0139B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01374257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0136A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01307D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01323D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01363540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013135A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01398DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012E4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012FEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013237F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0139FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0131A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01318E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013A1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013AAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013646A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0137FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_012F76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013116E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013B8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_01328EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_0139FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_013136CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053AA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05347D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05363D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053D3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053535A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053D8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05324F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05324F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05338794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053637F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053DFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05358E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053EAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053376E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053516E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05368EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053536CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053DFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05344120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053561A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053561A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05352990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053B41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05340050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05340050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0535F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053690AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05329080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053A3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053258EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053E131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05353B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_05353B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_053F8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0532F358 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\PO 56720012359.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 3_2_00409B30 LdrLoadDll,

Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B40F0 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 1_2_008B4121 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B40F0 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\PO 56720012359.exe	Code function: 3_2_008B4121 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 156.252.96.170 80
Source: C:\Windows\explorer.exe	Domain query: www.fmodesign.com
Source: C:\Windows\explorer.exe	Domain query: www.healthy-shack.com
Source: C:\Windows\explorer.exe	Domain query: www.arerasols.com
Source: C:\Windows\explorer.exe	Network Connect: 154.81.100.18 80
Source: C:\Windows\explorer.exe	Network Connect: 107.180.44.148 80
Source: C:\Windows\explorer.exe	Domain query: www.mobilewz.com
Source: C:\Windows\explorer.exe	Network Connect: 23.252.68.226 80
Source: C:\Windows\explorer.exe	Domain query: www.stuntfighting.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PO 56720012359.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1210000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO 56720012359.exe	Section loaded: unknown target: C:\Users\user\Desktop\PO 56720012359.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PO 56720012359.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PO 56720012359.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PO 56720012359.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PO 56720012359.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO 56720012359.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO 56720012359.exe	Thread register set: target process: 3472
Source: C:\Users\user\Desktop\PO 56720012359.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3472

Source: C:\Users\user\Desktop\PO 56720012359.exe	Process created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'

Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.255386675.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B74BC cpuid

Source: C:\Users\user\Desktop\PO 56720012359.exe

Code function: 1_2_008B3A01 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Service Execution2	Windows Service3	Windows Service3	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Application Shimming1	Process Injection512	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery151	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO 56720012359.exe	51%	Virustotal		Browse
PO 56720012359.exe	40%	ReversingLabs	Win32.Trojan.Brresmon

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.PO 56720012359.exe.2d10000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
3.2.PO 56720012359.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
healthy-shack.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	0%	Avira URL Cloud	safe
http://www.stuntfighting.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/display.cfm	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/libgh.png)	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/arrow.png)	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/logo.png)	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN	0%	Avira URL Cloud	safe
http://www.fmodesign.com/b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/pics/12471/libg.png)	0%	Avira URL Cloud	safe
www.allfyllofficial.com/b6cu/	100%	Avira URL Cloud	malware
http://www.mobilewz.com/user	0%	Avira URL Cloud	safe
http://www.healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	0%	Avira URL Cloud	safe
http://www.mobilewz.com/	0%	Avira URL Cloud	safe
http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	0%	Avira URL Cloud	safe
http://i1.cdn-image.com/__media__/js/min.js?v2.2	0%	URL Reputation	safe
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	0%	Avira URL Cloud	safe
http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.mobilewz.com	23.252.68.226	true	true		unknown
www.fmodesign.com	154.81.100.18	true	true		unknown
healthy-shack.com	107.180.44.148	true	true	0%, Virustotal, Browse	unknown
www.allfyllofficial.com	50.87.144.47	true	true		unknown
www.stuntfighting.com	156.252.96.170	true	true		unknown
www.la-bio-geo.com	unknown	unknown	true		unknown
www.healthy-shack.com	unknown	unknown	true		unknown
www.arerasols.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.stuntfighting.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+	true	Avira URL Cloud: safe	unknown
http://www.fmodesign.com/b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2	true	Avira URL Cloud: safe	unknown
www.allfyllofficial.com/b6cu/	true	Avira URL Cloud: malware	low
http://www.healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/display.cfm	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/libgh.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/arrow.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/logo.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/px.js?ch=2	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/px.js?ch=1	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/pics/12471/libg.png)	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mobilewz.com/user	cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mobilewz.com/	cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX	cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i1.cdn-image.com/__media__/js/min.js?v2.2	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	URL Reputation: safe	unknown
http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk	cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
156.252.96.170	www.stuntfighting.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
154.81.100.18	www.fmodesign.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
107.180.44.148	healthy-shack.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
23.252.68.226	www.mobilewz.com	Turkey	59447	SAYFANETTR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483537
Start date:	15.09.2021
Start time:	08:34:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 24s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO 56720012359.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/0@8/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 30.6% (good quality ratio 28.4%) Quality average: 78.3% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.209.183, 40.112.88.60, 20.50.102.62, 23.216.77.209, 23.216.77.208 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
154.81.100.18	SOA.exe	Get hash	malicious	Browse	www.fmodesign.com/b6cu/?2dpHPlu=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHYsgZWZbIPAY&I2Jh=qZzPvfA0dTw
23.252.68.226	vbc.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.stuntfighting.com	New Order.exe	Get hash	malicious	Browse	156.252.96.170
www.allfyllofficial.com	vbc.exe	Get hash	malicious	Browse	50.87.144.47
	USD INV#1191189.xlsx	Get hash	malicious	Browse	50.87.144.47
	New Order.exe	Get hash	malicious	Browse	50.87.144.47
	SOA.exe	Get hash	malicious	Browse	50.87.144.47
www.mobilewz.com	vbc.exe	Get hash	malicious	Browse	23.252.68.226
www.fmodesign.com	SOA.exe	Get hash	malicious	Browse	154.81.100.18

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	avxeC9Wssi	Get hash	malicious	Browse	154.93.93.143
	KXM253rCpW	Get hash	malicious	Browse	45.202.220.126
	Antisocial.x86	Get hash	malicious	Browse	45.202.220.145
	Antisocial.arm	Get hash	malicious	Browse	45.202.220.132
	Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exe	Get hash	malicious	Browse	156.250.206.123
	wqrPKr29Ca	Get hash	malicious	Browse	156.242.206.11
	mzPc4AjQ56.exe	Get hash	malicious	Browse	154.201.233.72
	2kPrDBMxZV	Get hash	malicious	Browse	103.57.228.86
	vbc(2).exe	Get hash	malicious	Browse	45.195.163.111
	h3YuU2ccMI.exe	Get hash	malicious	Browse	192.151.255.36
	sora.arm7	Get hash	malicious	Browse	154.86.70.142
	Oro00CeYE0	Get hash	malicious	Browse	103.57.228.89
	GbqSO8wDkY	Get hash	malicious	Browse	154.86.69.210
	x86	Get hash	malicious	Browse	156.251.7.133
	mSR4x9NnMI2lSah.exe	Get hash	malicious	Browse	160.124.133.245
	Letter of Intent.exe	Get hash	malicious	Browse	156.242.151.99
	Quotation#QO210109A87356.exe	Get hash	malicious	Browse	154.195.203.177
	009547789723_pdf.exe	Get hash	malicious	Browse	156.252.77.184
	Invoice BL Packing List.exe	Get hash	malicious	Browse	156.242.183.44
	peach.arm	Get hash	malicious	Browse	154.208.183.93
DXTL-HKDXTLTseungKwanOServiceHK	swift_copy_MT103_pdf.exe	Get hash	malicious	Browse	45.203.64.72
	AWB3455938544.exe	Get hash	malicious	Browse	154.214.139.85
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	45.203.107.205
	KzWXGmiJxS	Get hash	malicious	Browse	122.11.98.106
	sora.arm7	Get hash	malicious	Browse	154.221.154.89
	ZvUMlvUmXk.exe	Get hash	malicious	Browse	154.90.71.234
	NK9sAZ63ss.exe	Get hash	malicious	Browse	154.90.71.234
	F8fJe0qblC.exe	Get hash	malicious	Browse	154.90.71.234
	Antisocial.arm	Get hash	malicious	Browse	156.235.189.137
	SOA.exe	Get hash	malicious	Browse	154.81.100.18
	iBFtnxuPRcuCSPs.exe	Get hash	malicious	Browse	45.197.114.217
	XnLs7VLx1v	Get hash	malicious	Browse	45.197.112.62
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	45.203.107.205
	YeDppKwP6z	Get hash	malicious	Browse	45.196.195.140
	Kp6SDRr8xd	Get hash	malicious	Browse	156.235.135.133
	3RBawvxxeY.exe	Get hash	malicious	Browse	156.239.92.147
	Eklenen yeni siparis.exe	Get hash	malicious	Browse	156.232.245.157
	DHL Shipping INV#BL.exe	Get hash	malicious	Browse	156.245.221.194
	zFDNFIXYHn	Get hash	malicious	Browse	154.93.250.174
	sora.arm7	Get hash	malicious	Browse	154.86.169.205

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.763697037341853
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO 56720012359.exe
File size:	304128
MD5:	839c75a88734aaf014ef0c3d77ce9109
SHA1:	10d79cb8e51fd30bfff63b2465ba0e111f6dd500
SHA256:	1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
SHA512:	e6feddaf0616f781a8d9de9fd68e78654c2be2c1e5bff676fc4d78de7ca6f8f6cace5245117d7554c4f50452c6d7d60ab5a62d1f66580ed8707ec835d91cc551
SSDEEP:	6144:z9GBfOEiU6y+B0yoP9/NbU2Q2QNW7rdmtJJTbutFB1:zgBmEiU6/aF/Ja2oW/dmtJwTB1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ivc.-...-...-... E..5... E.."... E..H...9\|..>...-...X....I..,....I..,....I..,...Rich-...........................PE..L...[SAa...

File Icon


Icon Hash:	4f050d0d0d054f90

Static PE Info

General
Entrypoint:	0x4029fb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6141535B [Wed Sep 15 01:58:51 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c2e2fa89aec204ac5f3945ce98025d14

Entrypoint Preview

Instruction
call 00007FDFFCC68396h
jmp 00007FDFFCC67210h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007FDFFCC673B7h
cmp dword ptr [eax+10h], 03h
jne 00007FDFFCC673B1h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007FDFFCC673ADh
cmp eax, 19930521h
je 00007FDFFCC673A6h
cmp eax, 19930522h
je 00007FDFFCC6739Fh
cmp eax, 01994000h
je 00007FDFFCC67398h
xor eax, eax
pop ebp
retn 0004h
call 00007FDFFCC68684h
int3
push 00402A05h
call 00007FDFFCC68A35h
pop ecx
xor eax, eax
ret
push ebp
mov ebp, esp
push esi
call 00007FDFFCC67634h
mov esi, eax
test esi, esi
je 00007FDFFCC674DBh
mov edx, dword ptr [esi+5Ch]
mov ecx, edx
push edi
mov edi, dword ptr [ebp+08h]
cmp dword ptr [ecx], edi
je 00007FDFFCC6739Fh
add ecx, 0Ch
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jc 00007FDFFCC67381h
lea eax, dword ptr [edx+00000090h]
cmp ecx, eax
jnc 00007FDFFCC67396h
cmp dword ptr [ecx], edi
je 00007FDFFCC67394h
xor ecx, ecx
test ecx, ecx
je 00007FDFFCC674A6h
mov edx, dword ptr [ecx+08h]
test edx, edx
je 00007FDFFCC6749Bh
cmp edx, 05h
jne 00007FDFFCC6739Eh
and dword ptr [ecx+08h], 00000000h
xor eax, eax
inc eax
jmp 00007FDFFCC6748Bh
cmp edx, 01h
jne 00007FDFFCC6739Ah
or eax, FFFFFFFFh
jmp 00007FDFFCC6747Eh

Rich Headers

Programming Language:

[ C ] VS2015 UPD3.1 build 24215
[C++] VS2013 build 21005
[LNK] VS2015 UPD3.1 build 24215
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x113bc	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x37668	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xd70	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10e30	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10e50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x1c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb6b6	0xb800	False	0.581288213315	data	6.64409141426	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x4dd4	0x4e00	False	0.389272836538	data	4.66913496112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x31c4	0x1400	False	0.319921875	data	3.49628246477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x37668	0x37800	False	0.951919693131	data	7.9875649034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xd70	0xe00	False	0.796875	data	6.45071133859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
OZX	0x160f0	0x364b8	data	English	United States
RT_ICON	0x4c5a8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951	English	United States
RT_GROUP_ICON	0x4d650	0x14	data	English	United States

Imports

DLL	Import
KERNEL32.dll	FreeLibrary, GetProcAddress, LoadLibraryExW, lstrcmpiW, lstrcpyW, lstrcatW, lstrlenW, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, LCMapStringW, VirtualProtect, GetStringTypeW, HeapReAlloc, OutputDebugStringW, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, GetCurrentProcess, GetProcessHeap, HeapFree, HeapAlloc, GetLastError, HeapSize, ExpandEnvironmentStringsW, GetCommandLineW, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, CreateFileW
MSWSOCK.dll	getnetbyname, SetServiceA, GetAddressByNameA, EnumProtocolsA, rcmd, AcceptEx
rtutils.dll	TraceGetConsoleW, TraceVprintfExW, RouterLogEventStringA, RouterLogEventW, TraceDeregisterW, LogEventA
MAPI32.dll
WININET.dll	GopherFindFirstFileW, InternetQueryOptionA, InternetHangUp, FindFirstUrlCacheContainerW
RPCRT4.dll	NDRSContextMarshall, NdrSimpleStructFree, RpcServerInqBindings, NdrConvert2, NdrNonEncapsulatedUnionBufferSize, NdrConformantArrayUnmarshall
SHELL32.dll	ExtractAssociatedIconExA, SHBrowseForFolder
USER32.dll	MessageBoxW, GetDC, GrayStringA
ADVAPI32.dll	RegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegCloseKey, StartServiceCtrlDispatcherW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/15/21-08:36:35.041327	ICMP	449	ICMP Time-To-Live Exceeded in Transit			10.254.0.2	192.168.2.5
09/15/21-08:37:06.463980	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	107.180.44.148
09/15/21-08:37:06.463980	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	107.180.44.148
09/15/21-08:37:06.463980	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	107.180.44.148
09/15/21-08:37:11.792471	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.5	50.87.144.47
09/15/21-08:37:11.792471	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.5	50.87.144.47
09/15/21-08:37:11.792471	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49783	80	192.168.2.5	50.87.144.47

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 08:36:23.231709003 CEST	49774	80	192.168.2.5	156.252.96.170
Sep 15, 2021 08:36:23.517390966 CEST	80	49774	156.252.96.170	192.168.2.5
Sep 15, 2021 08:36:23.517803907 CEST	49774	80	192.168.2.5	156.252.96.170
Sep 15, 2021 08:36:23.518058062 CEST	49774	80	192.168.2.5	156.252.96.170
Sep 15, 2021 08:36:23.804039001 CEST	80	49774	156.252.96.170	192.168.2.5
Sep 15, 2021 08:36:24.016992092 CEST	80	49774	156.252.96.170	192.168.2.5
Sep 15, 2021 08:36:24.017019987 CEST	80	49774	156.252.96.170	192.168.2.5
Sep 15, 2021 08:36:24.017297029 CEST	49774	80	192.168.2.5	156.252.96.170
Sep 15, 2021 08:36:24.017507076 CEST	49774	80	192.168.2.5	156.252.96.170
Sep 15, 2021 08:36:24.303092957 CEST	80	49774	156.252.96.170	192.168.2.5
Sep 15, 2021 08:36:29.227380991 CEST	49775	80	192.168.2.5	154.81.100.18
Sep 15, 2021 08:36:29.440563917 CEST	80	49775	154.81.100.18	192.168.2.5
Sep 15, 2021 08:36:29.440790892 CEST	49775	80	192.168.2.5	154.81.100.18
Sep 15, 2021 08:36:29.441050053 CEST	49775	80	192.168.2.5	154.81.100.18
Sep 15, 2021 08:36:29.654616117 CEST	80	49775	154.81.100.18	192.168.2.5
Sep 15, 2021 08:36:29.654658079 CEST	80	49775	154.81.100.18	192.168.2.5
Sep 15, 2021 08:36:29.654845953 CEST	80	49775	154.81.100.18	192.168.2.5
Sep 15, 2021 08:36:29.664530993 CEST	49775	80	192.168.2.5	154.81.100.18
Sep 15, 2021 08:36:29.664748907 CEST	49775	80	192.168.2.5	154.81.100.18
Sep 15, 2021 08:36:29.882493973 CEST	80	49775	154.81.100.18	192.168.2.5
Sep 15, 2021 08:36:34.869563103 CEST	49776	80	192.168.2.5	23.252.68.226
Sep 15, 2021 08:36:37.880909920 CEST	49776	80	192.168.2.5	23.252.68.226
Sep 15, 2021 08:36:43.881170034 CEST	49776	80	192.168.2.5	23.252.68.226
Sep 15, 2021 08:36:58.227279902 CEST	49781	80	192.168.2.5	23.252.68.226
Sep 15, 2021 08:37:01.226968050 CEST	49781	80	192.168.2.5	23.252.68.226
Sep 15, 2021 08:37:06.348965883 CEST	49782	80	192.168.2.5	107.180.44.148
Sep 15, 2021 08:37:06.460891008 CEST	80	49782	107.180.44.148	192.168.2.5
Sep 15, 2021 08:37:06.463809013 CEST	49782	80	192.168.2.5	107.180.44.148
Sep 15, 2021 08:37:06.463979959 CEST	49782	80	192.168.2.5	107.180.44.148
Sep 15, 2021 08:37:06.574717999 CEST	80	49782	107.180.44.148	192.168.2.5
Sep 15, 2021 08:37:06.587517977 CEST	80	49782	107.180.44.148	192.168.2.5
Sep 15, 2021 08:37:06.587538004 CEST	80	49782	107.180.44.148	192.168.2.5
Sep 15, 2021 08:37:06.587790012 CEST	49782	80	192.168.2.5	107.180.44.148
Sep 15, 2021 08:37:06.587814093 CEST	49782	80	192.168.2.5	107.180.44.148
Sep 15, 2021 08:37:06.701248884 CEST	80	49782	107.180.44.148	192.168.2.5
Sep 15, 2021 08:37:07.227076054 CEST	49781	80	192.168.2.5	23.252.68.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 08:34:58.858092070 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:34:58.884917974 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 15, 2021 08:35:19.576796055 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:35:19.610516071 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 15, 2021 08:35:32.359035015 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:35:32.398933887 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 15, 2021 08:35:50.121221066 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:35:50.162609100 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:09.398763895 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:09.434449911 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:15.205795050 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:15.235292912 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:23.043905020 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:23.223212957 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:29.029289961 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:29.223927021 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:34.686691046 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:34.867702961 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:48.508781910 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:48.547694921 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:50.007797956 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:50.042438030 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 15, 2021 08:36:57.868899107 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:36:58.204263926 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 15, 2021 08:37:00.935902119 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:37:00.974194050 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 15, 2021 08:37:06.317146063 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:37:06.347759962 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 15, 2021 08:37:11.603655100 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:37:11.633694887 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 15, 2021 08:37:17.371459961 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 15, 2021 08:37:17.418663979 CEST	53	60075	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 08:36:23.043905020 CEST	192.168.2.5	8.8.8.8	0x273	Standard query (0)	www.stuntfighting.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:29.029289961 CEST	192.168.2.5	8.8.8.8	0xc6eb	Standard query (0)	www.fmodesign.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:34.686691046 CEST	192.168.2.5	8.8.8.8	0x237f	Standard query (0)	www.mobilewz.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:57.868899107 CEST	192.168.2.5	8.8.8.8	0xb373	Standard query (0)	www.mobilewz.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:00.935902119 CEST	192.168.2.5	8.8.8.8	0x38d1	Standard query (0)	www.arerasols.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:06.317146063 CEST	192.168.2.5	8.8.8.8	0x9590	Standard query (0)	www.healthy-shack.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:11.603655100 CEST	192.168.2.5	8.8.8.8	0xe92e	Standard query (0)	www.allfyllofficial.com	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:17.371459961 CEST	192.168.2.5	8.8.8.8	0xbf36	Standard query (0)	www.la-bio-geo.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 08:36:23.223212957 CEST	8.8.8.8	192.168.2.5	0x273	No error (0)	www.stuntfighting.com		156.252.96.170	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:29.223927021 CEST	8.8.8.8	192.168.2.5	0xc6eb	No error (0)	www.fmodesign.com		154.81.100.18	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:34.867702961 CEST	8.8.8.8	192.168.2.5	0x237f	No error (0)	www.mobilewz.com		23.252.68.226	A (IP address)	IN (0x0001)
Sep 15, 2021 08:36:58.204263926 CEST	8.8.8.8	192.168.2.5	0xb373	No error (0)	www.mobilewz.com		23.252.68.226	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:00.974194050 CEST	8.8.8.8	192.168.2.5	0x38d1	Name error (3)	www.arerasols.com	none	none	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:06.347759962 CEST	8.8.8.8	192.168.2.5	0x9590	No error (0)	www.healthy-shack.com	healthy-shack.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 08:37:06.347759962 CEST	8.8.8.8	192.168.2.5	0x9590	No error (0)	healthy-shack.com		107.180.44.148	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:11.633694887 CEST	8.8.8.8	192.168.2.5	0xe92e	No error (0)	www.allfyllofficial.com		50.87.144.47	A (IP address)	IN (0x0001)
Sep 15, 2021 08:37:17.418663979 CEST	8.8.8.8	192.168.2.5	0xbf36	Name error (3)	www.la-bio-geo.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.stuntfighting.com

www.fmodesign.com

www.healthy-shack.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49774	156.252.96.170	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 08:36:23.518058062 CEST	4563	OUT	GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1 Host: www.stuntfighting.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 08:36:24.016992092 CEST	4563	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.16.1 Date: Wed, 15 Sep 2021 06:36:23 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.40 Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49775	154.81.100.18	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 08:36:29.441050053 CEST	4564	OUT	GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1 Host: www.fmodesign.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 08:36:29.654658079 CEST	4565	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 15 Sep 2021 06:36:29 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49782	107.180.44.148	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 08:37:06.463979959 CEST	4587	OUT	GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1 Host: www.healthy-shack.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 08:37:06.587517977 CEST	4588	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 15 Sep 2021 06:37:06 GMT Server: Apache Location: https://healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz Content-Length: 335 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 61 6c 74 68 79 2d 73 68 61 63 6b 2e 63 6f 6d 2f 62 36 63 75 2f 3f 79 32 3d 5f 6e 70 54 38 30 76 30 4d 32 26 61 6d 70 3b 4c 38 66 68 4f 46 52 50 3d 50 57 53 6e 63 6e 42 47 58 30 79 34 74 39 34 4d 49 59 68 41 44 54 6c 2f 5a 57 48 38 45 63 35 44 54 68 54 34 43 32 73 49 34 30 74 52 44 65 44 7a 4c 75 71 51 47 64 51 69 79 4e 52 4c 35 54 4c 6b 57 66 4d 7a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz">here</a>.</p></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: PO 56720012359.exe PID: 2600 Parent PID: 6032

General

Start time:	08:35:04
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\PO 56720012359.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO 56720012359.exe'
Imagebase:	0x8b0000
File size:	304128 bytes
MD5 hash:	839C75A88734AAF014EF0C3D77CE9109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: conhost.exe PID: 2940 Parent PID: 2600

General

Start time:	08:35:08
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: PO 56720012359.exe PID: 1392 Parent PID: 2600

General

Start time:	08:35:09
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\PO 56720012359.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO 56720012359.exe'
Imagebase:	0x8b0000
File size:	304128 bytes
MD5 hash:	839C75A88734AAF014EF0C3D77CE9109
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3472 Parent PID: 1392

General

Start time:	08:35:13
Start date:	15/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cscript.exe PID: 6300 Parent PID: 3472

General

Start time:	08:35:45
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x1210000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6324 Parent PID: 6300

General

Start time:	08:35:49
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PO 56720012359.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6340 Parent PID: 6324

General

Start time:	08:35:49
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PO 56720012359.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries