Loading ...

Play interactive tourEdit tour

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name:Shipping Doc.exe
Analysis ID:458885
MD5:159d560ff64cdb2d130b1635f4123a49
SHA1:5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipping Doc.exe (PID: 1932 cmdline: 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: 159D560FF64CDB2D130B1635F4123A49)
    • Shipping Doc.exe (PID: 2148 cmdline: C:\Users\user\Desktop\Shipping Doc.exe MD5: 159D560FF64CDB2D130B1635F4123A49)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3984 cmdline: /c del 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Shipping Doc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Shipping Doc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Shipping Doc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Shipping Doc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Shipping Doc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Shipping Doc.exeVirustotal: Detection: 50%Perma Link
          Source: Shipping Doc.exeMetadefender: Detection: 31%Perma Link
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: Shipping Doc.exeJoe Sandbox ML: detected
          Source: 4.2.Shipping Doc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.shopjempress.com/amb6/
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bigdaddy.fish
          Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmpString found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
          Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsdn
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomFU
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicV
          Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comny
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
          Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
          Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
          Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnP
          Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cny
          Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/8
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
          Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/siv
          Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma7
          Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comc
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419D5B NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419E8B NtClose,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053DA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053D9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E10 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E90 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219E8B NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03219D5B NtCreateFile,
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00417164
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041E1B3
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041DAB4
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041D360
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D87
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409E40
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05461D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05390D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B4120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0539F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053A841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_05451002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053AB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053CEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053B6E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321DAB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03217164
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321E1B3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03209E40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03202D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0539B150 appears 32 times
          Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
          Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
          Source: Shipping Doc.exeBinary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
          Source: Shipping Doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: Shipping Doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Shipping Doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Shipping Doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Shipping Doc.exeVirustotal: Detection: 50%
          Source: Shipping Doc.exeMetadefender: Detection: 31%
          Source: Shipping Doc.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
          Source: C:\Users\user\Desktop\Shipping Doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Shipping Doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Shipping Doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
          Source: Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
          Source: Shipping Doc.exeStatic PE information: 0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00414A19 push ebp; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004046A7 push edx; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_004167BF push ecx; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_053ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214A19 push ebp; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF02 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF0B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CF6C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032167BF push ecx; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_03214F99 pushfd ; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_032046A7 push edx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 15_2_0321CEB5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.2014231354
          Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
          Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
          Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.csHigh entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
          Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.csHigh entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
          Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.csHigh entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
          Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.csHigh entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
          Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.csHigh entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
          Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.csHigh entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
          Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.csHigh entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
          Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.csHigh entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
          Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.csHigh entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
          Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.csHigh entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
          Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.csHigh entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
          Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.csHigh entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
          Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.csHigh entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
          Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.csHigh entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
          Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.csHigh entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
          Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.csHigh entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
          Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.csHigh entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Shipping Doc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Shipping Doc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeCode function: 4_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 5516Thread sleep time: -39781s >= -30000s
          Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 6132Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 3340Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 1392Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 39781
          Source: C:\Users\user\Desktop\Shipping Doc.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000006.00000000.280370116.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.273037707.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.280812513.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000006.00000000.311184656.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.