Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents (INV,PL,BL)_pdf.exe

Overview

General Information

Sample Name:Shipping Documents (INV,PL,BL)_pdf.exe
Analysis ID:320999
MD5:aed402d9a5675f5796265e5170ada7cb
SHA1:d2e2087f83c1ef3d10cbe60acb721745d19306b3
SHA256:44350179d4fdd08fd02c02b733f80c82d54f5af31c8a2432de9cfb6b11ab4aa0
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
    • Shipping Documents (INV,PL,BL)_pdf.exe (PID: 5268 cmdline: 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: AED402D9A5675F5796265E5170ADA7CB)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x5368:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/)Avira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/xAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bindAvira URL Cloud: Label: malware
      Source: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_Avira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi11_2_00C672B0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi11_2_00C66BC7
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: NETSOURCEUS NETSOURCEUS
      Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Windows\explorer.exeCode function: 3_2_061F5782 getaddrinfo,setsockopt,recv,3_2_061F5782
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=vVVBlGd6XjiYufiPZCtpE8ClhRDPSp+6pFrvIQJUgNbClm9AeMVCLXFgut4jwu7Jje2C&wZ9=O2MpVr HTTP/1.1Host: www.drinksandfruits.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?jJEpd=tzd6f6hltsiSnXVk4gBb1fk7WFCRZPV169uDhTo4RpQ3iNZth/6Mcmvn9cuuL1csRrj/&wZ9=O2MpVr HTTP/1.1Host: www.iatlet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 07:55:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.i
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: explorer.exe, 00000003.00000000.297520534.000000000F6D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312545052.000000000098B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.com/icm9/www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.84streetchamber.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.com/icm9/www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.cannahavedessert.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.com/icm9/www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.drinksandfruits.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.net/icm9/www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.faithinfitness.netReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.com/icm9/M
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.frontierautoglasswheatfield.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.com/icm9/www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.gcsisgreen.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icu/icm9/www.frontierautoglasswheatfield.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.hunexhq.icuReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.com/icm9/www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.iatlet.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.com/icm9/www.gcsisgreen.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.images77.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.site/icm9/www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kalcio.siteReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.com/icm9/www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.leepl.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.com/icm9/www.84streetchamber.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.machevate.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.com/icm9/www.images77.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.mademoisellepierre.comReferer:
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.com/icm9/www.cannahavedessert.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nationalcanopies.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.store/icm9/www.machevate.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.smartbulk.storeReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.com/icm9/www.faithinfitness.net
      Source: explorer.exe, 00000003.00000002.498224754.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.verifyinstagram-help.comReferer:
      Source: explorer.exe, 00000003.00000000.293470278.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/)
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312216879.0000000000563000.00000040.00000001.sdmp, Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bin_
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/Kalied_fAAOrhVS181.bind
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312502212.0000000000948000.00000004.00000020.sdmpString found in binary or memory: https://lifeandhealth.com.mx/x
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241695926.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Shipping Documents (INV,PL,BL)_pdf.exe
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F7FAA NtWriteVirtualMemory,0_2_020F7FAA
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97D3 NtResumeThread,0_2_020F97D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F086A EnumWindows,NtSetInformationThread,0_2_020F086A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,0_2_020F0D0F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F91CF NtProtectVirtualMemory,0_2_020F91CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F89EB NtSetInformationThread,0_2_020F89EB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A46 NtWriteVirtualMemory,0_2_020F3A46
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0A5C NtSetInformationThread,0_2_020F0A5C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9A7A NtResumeThread,0_2_020F9A7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3A82 NtWriteVirtualMemory,0_2_020F3A82
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AAE NtWriteVirtualMemory,0_2_020F3AAE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AB1 NtResumeThread,0_2_020F9AB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3AEC NtWriteVirtualMemory,0_2_020F3AEC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9AE5 NtResumeThread,0_2_020F9AE5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F36F7 NtWriteVirtualMemory,0_2_020F36F7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B0D NtResumeThread,0_2_020F9B0D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B08 NtWriteVirtualMemory,0_2_020F3B08
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9B4B NtResumeThread,0_2_020F9B4B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3744 NtWriteVirtualMemory,0_2_020F3744
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3B40 NtWriteVirtualMemory,0_2_020F3B40
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F2FAB NtWriteVirtualMemory,0_2_020F2FAB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37A1 NtWriteVirtualMemory,0_2_020F37A1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BB3 NtResumeThread,0_2_020F9BB3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3BCE NtWriteVirtualMemory,0_2_020F3BCE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F97DC NtResumeThread,0_2_020F97DC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9BEE NtResumeThread,0_2_020F9BEE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F37EC NtWriteVirtualMemory,0_2_020F37EC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C06 NtWriteVirtualMemory,0_2_020F3C06
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9804 NtResumeThread,0_2_020F9804
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F982F NtResumeThread,0_2_020F982F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C2E NtResumeThread,0_2_020F9C2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3828 NtWriteVirtualMemory,0_2_020F3828
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3C6F NtWriteVirtualMemory,0_2_020F3C6F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F988A NtResumeThread,0_2_020F988A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F989B NtResumeThread,0_2_020F989B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9C99 NtResumeThread,0_2_020F9C99
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3CC8 NtWriteVirtualMemory,0_2_020F3CC8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9CDC NtResumeThread,0_2_020F9CDC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F98D4 NtResumeThread,0_2_020F98D4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38E4 NtWriteVirtualMemory,0_2_020F38E4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F24E2 NtWriteVirtualMemory,0_2_020F24E2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F38F0 NtWriteVirtualMemory,0_2_020F38F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F090E NtSetInformationThread,0_2_020F090E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F990D NtResumeThread,0_2_020F990D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D09 NtResumeThread,0_2_020F9D09
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0905 NtSetInformationThread,0_2_020F0905
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F451B NtSetInformationThread,0_2_020F451B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0517 NtSetInformationThread,NtWriteVirtualMemory,0_2_020F0517
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D3C NtWriteVirtualMemory,0_2_020F3D3C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9941 NtResumeThread,0_2_020F9941
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F395C NtWriteVirtualMemory,0_2_020F395C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F996B NtResumeThread,0_2_020F996B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F097E NtSetInformationThread,0_2_020F097E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9D74 NtResumeThread,0_2_020F9D74
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3D8C NtWriteVirtualMemory,0_2_020F3D8C
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9998 NtResumeThread,0_2_020F9998
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3191 NtWriteVirtualMemory,0_2_020F3191
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F39A2 NtWriteVirtualMemory,0_2_020F39A2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F55B8 NtWriteVirtualMemory,0_2_020F55B8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DB7 NtResumeThread,0_2_020F9DB7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F09CD NtSetInformationThread,0_2_020F09CD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F99D3 NtResumeThread,0_2_020F99D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F9DEB NtResumeThread,0_2_020F9DEB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F3DE9 NtWriteVirtualMemory,0_2_020F3DE9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F79FD NtWriteVirtualMemory,0_2_020F79FD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F41FB NtSetInformationThread,0_2_020F41FB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,1_2_1E3E9A20
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E3E9A00
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E3E9660
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,1_2_1E3E9A50
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E3E96E0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E3E9710
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E3E97A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E3E9780
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E3E9860
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,1_2_1E3E9840
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E3E98F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E3E9910
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,1_2_1E3E9540
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,1_2_1E3E99A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,1_2_1E3E95D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9610 NtEnumerateValueKey,1_2_1E3E9610
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A10 NtQuerySection,1_2_1E3E9A10
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9670 NtQueryInformationProcess,1_2_1E3E9670
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9650 NtQueryValueKey,1_2_1E3E9650
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9A80 NtOpenDirectoryObject,1_2_1E3E9A80
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E96D0 NtCreateKey,1_2_1E3E96D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9730 NtQueryVirtualMemory,1_2_1E3E9730
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA710 NtOpenProcessToken,1_2_1E3EA710
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9B00 NtSetValueKey,1_2_1E3E9B00
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9770 NtSetInformationFile,1_2_1E3E9770
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA770 NtOpenThread,1_2_1E3EA770
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9760 NtOpenProcess,1_2_1E3E9760
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EA3B0 NtGetContextThread,1_2_1E3EA3B0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9FE0 NtCreateMutant,1_2_1E3E9FE0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9820 NtEnumerateKey,1_2_1E3E9820
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EB040 NtSuspendThread,1_2_1E3EB040
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E98A0 NtWriteVirtualMemory,1_2_1E3E98A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3EAD30 NtSetContextThread,1_2_1E3EAD30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9520 NtWaitForSingleObject,1_2_1E3E9520
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9560 NtWriteFile,1_2_1E3E9560
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E9950 NtQueueApcThread,1_2_1E3E9950
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E95F0 NtQueryInformationFile,1_2_1E3E95F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3E99D0 NtCreateProcessEx,1_2_1E3E99D0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056451B LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056451B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005691CF NtProtectVirtualMemory,1_2_005691CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056322E TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056322E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632C6 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632C6
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697D3 NtQueryInformationProcess,1_2_005697D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564395 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564395
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564441 NtProtectVirtualMemory,1_2_00564441
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569804 NtQueryInformationProcess,1_2_00569804
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056443B LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056443B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C2E NtQueryInformationProcess,1_2_00569C2E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056982F NtQueryInformationProcess,1_2_0056982F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005698D4 NtQueryInformationProcess,1_2_005698D4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569CDC NtQueryInformationProcess,1_2_00569CDC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005644EE LdrInitializeThunk,NtProtectVirtualMemory,1_2_005644EE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564490 NtProtectVirtualMemory,1_2_00564490
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056989B NtQueryInformationProcess,1_2_0056989B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569C99 NtQueryInformationProcess,1_2_00569C99
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056988A NtQueryInformationProcess,1_2_0056988A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569941 NtQueryInformationProcess,1_2_00569941
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D74 NtQueryInformationProcess,1_2_00569D74
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056456E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056456E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056996B NtQueryInformationProcess,1_2_0056996B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056450E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056450E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056990D NtQueryInformationProcess,1_2_0056990D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569D09 NtQueryInformationProcess,1_2_00569D09
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564522 NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564522
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005699D3 NtQueryInformationProcess,1_2_005699D3
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DEB NtQueryInformationProcess,1_2_00569DEB
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563191 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563191
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569998 NtQueryInformationProcess,1_2_00569998
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569DB7 NtQueryInformationProcess,1_2_00569DB7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00564654 NtProtectVirtualMemory,1_2_00564654
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563246 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563246
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569A7A NtQueryInformationProcess,1_2_00569A7A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_0056462E LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056462E
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632D1 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632D1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AE5 NtQueryInformationProcess,1_2_00569AE5
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005632E9 LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632E9
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563288 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563288
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569AB1 NtQueryInformationProcess,1_2_00569AB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B4B NtQueryInformationProcess,1_2_00569B4B
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00563349 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563349
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569B0D NtQueryInformationProcess,1_2_00569B0D
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_005697DC NtQueryInformationProcess,1_2_005697DC
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BEE NtQueryInformationProcess,1_2_00569BEE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00569BB3 NtQueryInformationProcess,1_2_00569BB3
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A32 NtCreateFile,3_2_061F4A32
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A50 NtCreateFile,LdrInitializeThunk,11_2_03549A50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_03549910
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499A0 NtCreateSection,LdrInitializeThunk,11_2_035499A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549840 NtDelayExecution,LdrInitializeThunk,11_2_03549840
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,11_2_03549860
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549710 NtQueryInformationToken,LdrInitializeThunk,11_2_03549710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549FE0 NtCreateMutant,LdrInitializeThunk,11_2_03549FE0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549780 NtMapViewOfSection,LdrInitializeThunk,11_2_03549780
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549650 NtQueryValueKey,LdrInitializeThunk,11_2_03549650
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03549660
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496D0 NtCreateKey,LdrInitializeThunk,11_2_035496D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_035496E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549540 NtReadFile,LdrInitializeThunk,11_2_03549540
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495D0 NtClose,LdrInitializeThunk,11_2_035495D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549B00 NtSetValueKey,11_2_03549B00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A3B0 NtGetContextThread,11_2_0354A3B0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A10 NtQuerySection,11_2_03549A10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A00 NtProtectVirtualMemory,11_2_03549A00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A20 NtResumeThread,11_2_03549A20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549A80 NtOpenDirectoryObject,11_2_03549A80
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549950 NtQueueApcThread,11_2_03549950
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035499D0 NtCreateProcessEx,11_2_035499D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354B040 NtSuspendThread,11_2_0354B040
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549820 NtEnumerateKey,11_2_03549820
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498F0 NtReadVirtualMemory,11_2_035498F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035498A0 NtWriteVirtualMemory,11_2_035498A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A770 NtOpenThread,11_2_0354A770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549770 NtSetInformationFile,11_2_03549770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549760 NtOpenProcess,11_2_03549760
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354A710 NtOpenProcessToken,11_2_0354A710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549730 NtQueryVirtualMemory,11_2_03549730
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035497A0 NtUnmapViewOfSection,11_2_035497A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549670 NtQueryInformationProcess,11_2_03549670
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549610 NtEnumerateValueKey,11_2_03549610
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549560 NtWriteFile,11_2_03549560
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0354AD30 NtSetContextThread,11_2_0354AD30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03549520 NtWaitForSingleObject,11_2_03549520
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035495F0 NtQueryInformationFile,11_2_035495F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69DF0 NtReadFile,11_2_00C69DF0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D40 NtCreateFile,11_2_00C69D40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E70 NtClose,11_2_00C69E70
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69F20 NtAllocateVirtualMemory,11_2_00C69F20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69D3B NtCreateFile,11_2_00C69D3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69E6A NtClose,11_2_00C69E6A
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C6E301_2_1E3C6E30
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472EF71_2_1E472EF7
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4722AE1_2_1E4722AE
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472B281_2_1E472B28
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3DEBB01_2_1E3DEBB0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E46DBD21_2_1E46DBD2
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471FF11_2_1E471FF1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3B841F1_2_1E3B841F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4610021_2_1E461002
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D20A01_2_1E3D20A0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BB0901_2_1E3BB090
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4720A81_2_1E4720A8
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E471D551_2_1E471D55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3A0D201_2_1E3A0D20
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3C41201_2_1E3C4120
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3AF9001_2_1E3AF900
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E472D071_2_1E472D07
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E4725DD1_2_1E4725DD
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3D25811_2_1E3D2581
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3BD5E01_2_1E3BD5E0
      Source: C:\Windows\explorer.exeCode function: 3_2_061F4A323_2_061F4A32
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB0723_2_061EB072
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7A6F3_2_061F7A6F
      Source: C:\Windows\explorer.exeCode function: 3_2_061EB0693_2_061EB069
      Source: C:\Windows\explorer.exeCode function: 3_2_061F38623_2_061F3862
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCF23_2_061ECCF2
      Source: C:\Windows\explorer.exeCode function: 3_2_061ECCEC3_2_061ECCEC
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB1F3_2_061EFB1F
      Source: C:\Windows\explorer.exeCode function: 3_2_061F7B0E3_2_061F7B0E
      Source: C:\Windows\explorer.exeCode function: 3_2_061F21323_2_061F2132
      Source: C:\Windows\explorer.exeCode function: 3_2_061EFB223_2_061EFB22
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352AB4011_2_0352AB40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2B2811_2_035D2B28
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C03DA11_2_035C03DA
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CDBD211_2_035CDBD2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353EBB011_2_0353EBB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035BFA2B11_2_035BFA2B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D22AE11_2_035D22AE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0350F90011_2_0350F900
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0352412011_2_03524120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035C100211_2_035C1002
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DE82411_2_035DE824
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D28EC11_2_035D28EC
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351B09011_2_0351B090
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035320A011_2_035320A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D20A811_2_035D20A8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035DDFCE11_2_035DDFCE
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1FF111_2_035D1FF1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD61611_2_035CD616
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03526E3011_2_03526E30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2EF711_2_035D2EF7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D1D5511_2_035D1D55
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D2D0711_2_035D2D07
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_03500D2011_2_03500D20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035D25DD11_2_035D25DD
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351D5E011_2_0351D5E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0353258111_2_03532581
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_035CD46611_2_035CD466
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0351841F11_2_0351841F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DB7D11_2_00C6DB7D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D8911_2_00C52D89
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52D9011_2_00C52D90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E4011_2_00C59E40
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C59E3B11_2_00C59E3B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6DFC911_2_00C6DFC9
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C52FB011_2_00C52FB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0350B150 appears 48 times
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: String function: 1E3AB150 appears 35 times
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000000.00000002.241735598.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.318768141.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312668816.0000000002590000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000000.240728958.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.312648510.0000000002540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: Shipping Documents (INV,PL,BL)_pdf.exeBinary or memory string: OriginalFilenamefdselskontrol.exe vs Shipping Documents (INV,PL,BL)_pdf.exe
      Source: 0000000B.00000002.485764868.00000000031ED000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.312145897.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.483723038.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.486000436.0000000003310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.316144266.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.487639953.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.485873650.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/3
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCBA05B85C1CFCA00.TMPJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Shipping Documents (INV,PL,BL)_pdf.exeVirustotal: Detection: 21%
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess created: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000002.316544263.000000001E49F000.00000040.00000001.sdmp, wlanext.exe, 0000000B.00000002.486841810.00000000035FF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, wlanext.exe
      Source: Binary string: wlanext.pdb source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wlanext.pdbGCTL source: Shipping Documents (INV,PL,BL)_pdf.exe, 00000001.00000003.311332726.00000000009C3000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.296872528.000000000E1C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Shipping Documents (INV,PL,BL)_pdf.exe PID: 5268, type: MEMORY
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8356 push ds; iretd 0_2_020F8363
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F8365 push ds; iretd 0_2_020F8380
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07CD pushad ; retf 0_2_020F07CF
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F07EE pushad ; retf 0_2_020F07F0
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_1E3FD0D1 push ecx; ret 1_2_1E3FD0E4
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568355 push ds; iretd 1_2_00568363
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 1_2_00568365 push ds; iretd 1_2_00568380
      Source: C:\Windows\explorer.exeCode function: 3_2_061F83E6 pushad ; ret 3_2_061F83E7
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_0355D0D1 push ecx; ret 11_2_0355D0E4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6705B push esi; ret 11_2_00C6705C
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66989 push edi; retf 11_2_00C6698F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67C5E push esi; iretd 11_2_00C67C5F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C67D40 push eax; ret 11_2_00C67D41
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEE2 push eax; ret 11_2_00C6CEE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CEEB push eax; ret 11_2_00C6CF52
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CE95 push eax; ret 11_2_00C6CEE8
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C69666 push ss; iretd 11_2_00C6966B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C66679 push ebp; retf 11_2_00C6667A
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6AE79 push ebx; ret 11_2_00C6AE7D
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6BE12 push ebp; ret 11_2_00C6BE15
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 11_2_00C6CF4C push eax; ret 11_2_00C6CF52

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xED
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      <
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0D0F NtWriteVirtualMemory,TerminateProcess,0_2_020F0D0F
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E46 TerminateProcess,0_2_020F0E46
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0E55 TerminateProcess,0_2_020F0E55
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EB1 TerminateProcess,0_2_020F0EB1
      Source: C:\Users\user\Desktop\Shipping Documents (INV,PL,BL)_pdf.exeCode function: 0_2_020F0EF6 TerminateProcess,0_2_020F0EF6