Windows Analysis Report DHL DOC 3406506482.exe

Overview

General Information

Sample Name: DHL DOC 3406506482.exe
Analysis ID: 532855
MD5: 896c3c7f309a479f0ab1a9d8693b130f
SHA1: 9ad094b6799fb6deea1d2c3704576db3353d70ae
SHA256: 6f35f7c071de6ed456c189e023daa27c5b0cd007d4fcddbb13316a82ada83abe
Tags: DHLexeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.verdugofarms.com/q35x/"], "decoy": ["86ffd.com", "riquelmetaylor.com", "web3media.xyz", "lesbian-kyonyu.net", "assurancestreet.com", "giftboxpromos.com", "3exnck.com", "androidgays.com", "eduexsoft.com", "bmtmarmall.com", "mstrevent.com", "suvyco.link", "urautloads.com", "peaacockrv.com", "stanefree.com", "ybcxzgnmu.com", "pittsburgh-pestcontrol-co.com", "thesecond-handrose.com", "otcovotakkia.quest", "josephinesart.com", "uenpb.xyz", "gzczjsfg.com", "emptybestliving.com", "thecripsarena.com", "1688bfb.com", "garymullin.com", "socialteers-millunu.com", "zapf-nachhilfe.com", "expressportaldeliveryline.com", "hobbydiscover.store", "qncqroup.com", "housepainteroshawa.com", "craftedbycharter.com", "sushibaraustin.com", "kjjsclosets.com", "leylaatakan.com", "luminbowstore.com", "autoauctioncenter.com", "bon-da.com", "spilledreviews.com", "hbtysj.com", "truthrevealedtv.com", "gmcanchorage.com", "kirbycarpet.com", "ambire.email", "awonky.com", "giannagragnani.com", "infomw-abogados.com", "summit-mulundwest.info", "omradesutveckling.com", "jennypennybeachboutique.com", "medicalmarijuana.quest", "tusjentagal.quest", "zghglw.com", "bmcq1.com", "counsellinggta.com", "econnect.club", "xn--42cgr3fjyvj4c9a.com", "wed8029.com", "jeweleryshowcase.com", "ketofam.com", "roiward.tech", "artemi.club", "maddocksmedia.com"]}
Multi AV Scanner detection for submitted file
Source: DHL DOC 3406506482.exe Virustotal: Detection: 29% Perma Link
Source: DHL DOC 3406506482.exe ReversingLabs: Detection: 37%
Yara detected FormBook
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DHL DOC 3406506482.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL DOC 3406506482.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: explorer.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
Source: Binary string: explorer.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 4x nop then pop ebx 1_2_00407B1B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop ebx 14_2_02D77B1B

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.uenpb.xyz
Source: C:\Windows\explorer.exe Network Connect: 1.32.255.152 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.wed8029.com
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.uenpb.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.verdugofarms.com/q35x/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN HTTP/1.1Host: www.uenpb.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Dec 2021 17:56:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: unknown DNS traffic detected: queries for: www.wed8029.com
Source: global traffic HTTP traffic detected: GET /q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN HTTP/1.1Host: www.uenpb.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: DHL DOC 3406506482.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_003B2050 0_2_003B2050
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFE778 0_2_00DFE778
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFE777 0_2_00DFE777
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFBDC4 0_2_00DFBDC4
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_059A2440 0_2_059A2440
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_059A3328 0_2_059A3328
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_059A6BB0 0_2_059A6BB0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_059A6BA0 0_2_059A6BA0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041E070 1_2_0041E070
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041E225 1_2_0041E225
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041EB4E 1_2_0041EB4E
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041EB51 1_2_0041EB51
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041E583 1_2_0041E583
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041D5A3 1_2_0041D5A3
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00409E60 1_2_00409E60
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041DED3 1_2_0041DED3
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00492050 1_2_00492050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1B090 14_2_04A1B090
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1002 14_2_04AC1002
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1841F 14_2_04A1841F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32581 14_2_04A32581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1D5E0 14_2_04A1D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A00D20 14_2_04A00D20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0F900 14_2_04A0F900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD1D55 14_2_04AD1D55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A26E30 14_2_04A26E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3EBB0 14_2_04A3EBB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8E225 14_2_02D8E225
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8EB51 14_2_02D8EB51
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8EB4E 14_2_02D8EB4E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8E070 14_2_02D8E070
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8DED3 14_2_02D8DED3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D79E60 14_2_02D79E60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D72FB0 14_2_02D72FB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D72D90 14_2_02D72D90
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D72D87 14_2_02D72D87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8E583 14_2_02D8E583
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8D5A3 14_2_02D8D5A3
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 04A0B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A360 NtCreateFile, 1_2_0041A360
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A410 NtReadFile, 1_2_0041A410
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A490 NtClose, 1_2_0041A490
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A540 NtAllocateVirtualMemory, 1_2_0041A540
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A35A NtCreateFile, 1_2_0041A35A
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041A48A NtReadFile,NtClose, 1_2_0041A48A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_04A49860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49840 NtDelayExecution,LdrInitializeThunk, 14_2_04A49840
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A499A0 NtCreateSection,LdrInitializeThunk, 14_2_04A499A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A495D0 NtClose,LdrInitializeThunk, 14_2_04A495D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_04A49910
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49540 NtReadFile,LdrInitializeThunk, 14_2_04A49540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A496E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_04A496E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A496D0 NtCreateKey,LdrInitializeThunk, 14_2_04A496D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_04A49660
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49650 NtQueryValueKey,LdrInitializeThunk, 14_2_04A49650
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49A50 NtCreateFile,LdrInitializeThunk, 14_2_04A49A50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49780 NtMapViewOfSection,LdrInitializeThunk, 14_2_04A49780
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49FE0 NtCreateMutant,LdrInitializeThunk, 14_2_04A49FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49710 NtQueryInformationToken,LdrInitializeThunk, 14_2_04A49710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A498A0 NtWriteVirtualMemory, 14_2_04A498A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A498F0 NtReadVirtualMemory, 14_2_04A498F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49820 NtEnumerateKey, 14_2_04A49820
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4B040 NtSuspendThread, 14_2_04A4B040
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A495F0 NtQueryInformationFile, 14_2_04A495F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A499D0 NtCreateProcessEx, 14_2_04A499D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49520 NtWaitForSingleObject, 14_2_04A49520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4AD30 NtSetContextThread, 14_2_04A4AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49560 NtWriteFile, 14_2_04A49560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49950 NtQueueApcThread, 14_2_04A49950
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49A80 NtOpenDirectoryObject, 14_2_04A49A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49A20 NtResumeThread, 14_2_04A49A20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49A00 NtProtectVirtualMemory, 14_2_04A49A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49610 NtEnumerateValueKey, 14_2_04A49610
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49A10 NtQuerySection, 14_2_04A49A10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49670 NtQueryInformationProcess, 14_2_04A49670
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A497A0 NtUnmapViewOfSection, 14_2_04A497A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4A3B0 NtGetContextThread, 14_2_04A4A3B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49730 NtQueryVirtualMemory, 14_2_04A49730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49B00 NtSetValueKey, 14_2_04A49B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4A710 NtOpenProcessToken, 14_2_04A4A710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49760 NtOpenProcess, 14_2_04A49760
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A49770 NtSetInformationFile, 14_2_04A49770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4A770 NtOpenThread, 14_2_04A4A770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A360 NtCreateFile, 14_2_02D8A360
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A490 NtClose, 14_2_02D8A490
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A410 NtReadFile, 14_2_02D8A410
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A540 NtAllocateVirtualMemory, 14_2_02D8A540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A35A NtCreateFile, 14_2_02D8A35A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8A48A NtReadFile,NtClose, 14_2_02D8A48A
Sample file is different than original file name gathered from version info
Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000000.00000002.247896269.000000000045C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000000.00000002.252007912.00000000059B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000000.00000003.240961826.0000000003846000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000001.00000000.246111705.000000000053C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000001.00000002.316614192.00000000011FF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe, 00000001.00000002.320523635.000000000372E000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe Binary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
Source: DHL DOC 3406506482.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL DOC 3406506482.exe Virustotal: Detection: 29%
Source: DHL DOC 3406506482.exe ReversingLabs: Detection: 37%
Source: DHL DOC 3406506482.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL DOC 3406506482.exe "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL DOC 3406506482.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@5/2
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL DOC 3406506482.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL DOC 3406506482.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: explorer.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
Source: Binary string: explorer.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: DHL DOC 3406506482.exe, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL DOC 3406506482.exe.3b0000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL DOC 3406506482.exe.3b0000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.3.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.9.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.5.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.2.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.DHL DOC 3406506482.exe.490000.1.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.1.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.7.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.DHL DOC 3406506482.exe.490000.0.unpack, Views/MainForm.cs .Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DF41E1 push ebp; retn 0004h 0_2_00DF41E2
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DF4219 push esi; retn 0004h 0_2_00DF421A
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFE5DB push es; retf 0_2_00DFE5DE
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFE683 push es; retf 0_2_00DFE686
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFE768 pushfd ; ret 0_2_00DFE769
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFB109 pushfd ; retn 0004h 0_2_00DFB10A
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 0_2_00DFDC38 push cs; retf 0_2_00DFDC42
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00416913 pushad ; ret 1_2_00416923
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00409BA8 push ebp; ret 1_2_00409BB0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00409BA8 push ebp; ret 1_2_00409BB0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041D4B5 push eax; ret 1_2_0041D508
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041D56C push eax; ret 1_2_0041D572
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041D502 push eax; ret 1_2_0041D508
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041D50B push eax; ret 1_2_0041D572
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0041664D push di; retf 1_2_00416656
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A5D0D1 push ecx; ret 14_2_04A5D0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D79BA8 push ebp; ret 14_2_02D79BB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D86913 pushad ; ret 14_2_02D86923
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8664D push di; retf 14_2_02D86656
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8D4B5 push eax; ret 14_2_02D8D508
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8D56C push eax; ret 14_2_02D8D572
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8D50B push eax; ret 14_2_02D8D572
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02D8D502 push eax; ret 14_2_02D8D508
Source: initial sample Static PE information: section name: .text entropy: 7.85043153763

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE6
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\explorer.exe Process created: /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
Source: C:\Windows\SysWOW64\explorer.exe Process created: /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.DHL DOC 3406506482.exe.27b13c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL DOC 3406506482.exe PID: 4824, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe TID: 2248 Thread sleep time: -34821s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe TID: 2888 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5020 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4840 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00409AB0 rdtsc 1_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Thread delayed: delay time: 34821 Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000002.00000000.294199166.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.278703842.0000000008AEA000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.279700736.000000000DC20000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.252879349.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.279700736.000000000DC20000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Packages
Source: explorer.exe, 00000002.00000000.377785658.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000000.276642485.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.253873142.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.276642485.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_00409AB0 rdtsc 1_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h] 14_2_04A320A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A490AF mov eax, dword ptr fs:[00000030h] 14_2_04A490AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3F0BF mov ecx, dword ptr fs:[00000030h] 14_2_04A3F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3F0BF mov eax, dword ptr fs:[00000030h] 14_2_04A3F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3F0BF mov eax, dword ptr fs:[00000030h] 14_2_04A3F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09080 mov eax, dword ptr fs:[00000030h] 14_2_04A09080
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A83884 mov eax, dword ptr fs:[00000030h] 14_2_04A83884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A83884 mov eax, dword ptr fs:[00000030h] 14_2_04A83884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1849B mov eax, dword ptr fs:[00000030h] 14_2_04A1849B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A058EC mov eax, dword ptr fs:[00000030h] 14_2_04A058EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC14FB mov eax, dword ptr fs:[00000030h] 14_2_04AC14FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04A86CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04A86CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h] 14_2_04A86CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov ecx, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h] 14_2_04A9B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8CD6 mov eax, dword ptr fs:[00000030h] 14_2_04AD8CD6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h] 14_2_04A1B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h] 14_2_04A1B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h] 14_2_04A1B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h] 14_2_04A1B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h] 14_2_04A3002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h] 14_2_04A3002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h] 14_2_04A3002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h] 14_2_04A3002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h] 14_2_04A3002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3BC2C mov eax, dword ptr fs:[00000030h] 14_2_04A3BC2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h] 14_2_04AD740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h] 14_2_04AD740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h] 14_2_04AD740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h] 14_2_04A86C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h] 14_2_04A86C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h] 14_2_04A86C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h] 14_2_04A86C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h] 14_2_04AC1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD4015 mov eax, dword ptr fs:[00000030h] 14_2_04AD4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD4015 mov eax, dword ptr fs:[00000030h] 14_2_04AD4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h] 14_2_04A87016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h] 14_2_04A87016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h] 14_2_04A87016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2746D mov eax, dword ptr fs:[00000030h] 14_2_04A2746D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD1074 mov eax, dword ptr fs:[00000030h] 14_2_04AD1074
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC2073 mov eax, dword ptr fs:[00000030h] 14_2_04AC2073
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A44B mov eax, dword ptr fs:[00000030h] 14_2_04A3A44B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A20050 mov eax, dword ptr fs:[00000030h] 14_2_04A20050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A20050 mov eax, dword ptr fs:[00000030h] 14_2_04A20050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9C450 mov eax, dword ptr fs:[00000030h] 14_2_04A9C450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9C450 mov eax, dword ptr fs:[00000030h] 14_2_04A9C450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A335A1 mov eax, dword ptr fs:[00000030h] 14_2_04A335A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A361A0 mov eax, dword ptr fs:[00000030h] 14_2_04A361A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A361A0 mov eax, dword ptr fs:[00000030h] 14_2_04A361A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A869A6 mov eax, dword ptr fs:[00000030h] 14_2_04A869A6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h] 14_2_04A31DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h] 14_2_04A31DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h] 14_2_04A31DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h] 14_2_04A851BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h] 14_2_04A851BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h] 14_2_04A851BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h] 14_2_04A851BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2C182 mov eax, dword ptr fs:[00000030h] 14_2_04A2C182
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h] 14_2_04A32581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h] 14_2_04A32581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h] 14_2_04A32581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h] 14_2_04A32581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A185 mov eax, dword ptr fs:[00000030h] 14_2_04A3A185
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h] 14_2_04A02D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h] 14_2_04A02D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h] 14_2_04A02D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h] 14_2_04A02D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h] 14_2_04A02D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32990 mov eax, dword ptr fs:[00000030h] 14_2_04A32990
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3FD9B mov eax, dword ptr fs:[00000030h] 14_2_04A3FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3FD9B mov eax, dword ptr fs:[00000030h] 14_2_04A3FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h] 14_2_04A0B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h] 14_2_04A0B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h] 14_2_04A0B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A941E8 mov eax, dword ptr fs:[00000030h] 14_2_04A941E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1D5E0 mov eax, dword ptr fs:[00000030h] 14_2_04A1D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1D5E0 mov eax, dword ptr fs:[00000030h] 14_2_04A1D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AB8DF1 mov eax, dword ptr fs:[00000030h] 14_2_04AB8DF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov ecx, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h] 14_2_04A86DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h] 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h] 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h] 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h] 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A24120 mov ecx, dword ptr fs:[00000030h] 14_2_04A24120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0AD30 mov eax, dword ptr fs:[00000030h] 14_2_04A0AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h] 14_2_04A13D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h] 14_2_04A34D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h] 14_2_04A34D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h] 14_2_04A34D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8D34 mov eax, dword ptr fs:[00000030h] 14_2_04AD8D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3513A mov eax, dword ptr fs:[00000030h] 14_2_04A3513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3513A mov eax, dword ptr fs:[00000030h] 14_2_04A3513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A8A537 mov eax, dword ptr fs:[00000030h] 14_2_04A8A537
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h] 14_2_04A09100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h] 14_2_04A09100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h] 14_2_04A09100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0C962 mov eax, dword ptr fs:[00000030h] 14_2_04A0C962
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0B171 mov eax, dword ptr fs:[00000030h] 14_2_04A0B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0B171 mov eax, dword ptr fs:[00000030h] 14_2_04A0B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2C577 mov eax, dword ptr fs:[00000030h] 14_2_04A2C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2C577 mov eax, dword ptr fs:[00000030h] 14_2_04A2C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2B944 mov eax, dword ptr fs:[00000030h] 14_2_04A2B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2B944 mov eax, dword ptr fs:[00000030h] 14_2_04A2B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A43D43 mov eax, dword ptr fs:[00000030h] 14_2_04A43D43
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A83540 mov eax, dword ptr fs:[00000030h] 14_2_04A83540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A27D50 mov eax, dword ptr fs:[00000030h] 14_2_04A27D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h] 14_2_04A052A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h] 14_2_04A052A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h] 14_2_04A052A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h] 14_2_04A052A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h] 14_2_04A052A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h] 14_2_04AD0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h] 14_2_04AD0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h] 14_2_04AD0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A846A7 mov eax, dword ptr fs:[00000030h] 14_2_04A846A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1AAB0 mov eax, dword ptr fs:[00000030h] 14_2_04A1AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1AAB0 mov eax, dword ptr fs:[00000030h] 14_2_04A1AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3FAB0 mov eax, dword ptr fs:[00000030h] 14_2_04A3FAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9FE87 mov eax, dword ptr fs:[00000030h] 14_2_04A9FE87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3D294 mov eax, dword ptr fs:[00000030h] 14_2_04A3D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3D294 mov eax, dword ptr fs:[00000030h] 14_2_04A3D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A316E0 mov ecx, dword ptr fs:[00000030h] 14_2_04A316E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A176E2 mov eax, dword ptr fs:[00000030h] 14_2_04A176E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32AE4 mov eax, dword ptr fs:[00000030h] 14_2_04A32AE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A48EC7 mov eax, dword ptr fs:[00000030h] 14_2_04A48EC7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32ACB mov eax, dword ptr fs:[00000030h] 14_2_04A32ACB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04ABFEC0 mov eax, dword ptr fs:[00000030h] 14_2_04ABFEC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A336CC mov eax, dword ptr fs:[00000030h] 14_2_04A336CC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8ED6 mov eax, dword ptr fs:[00000030h] 14_2_04AD8ED6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0E620 mov eax, dword ptr fs:[00000030h] 14_2_04A0E620
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A44A2C mov eax, dword ptr fs:[00000030h] 14_2_04A44A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A44A2C mov eax, dword ptr fs:[00000030h] 14_2_04A44A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04ABFE3F mov eax, dword ptr fs:[00000030h] 14_2_04ABFE3F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h] 14_2_04A0C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h] 14_2_04A0C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h] 14_2_04A0C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A38E00 mov eax, dword ptr fs:[00000030h] 14_2_04A38E00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A18A0A mov eax, dword ptr fs:[00000030h] 14_2_04A18A0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h] 14_2_04A05210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A05210 mov ecx, dword ptr fs:[00000030h] 14_2_04A05210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h] 14_2_04A05210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h] 14_2_04A05210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0AA16 mov eax, dword ptr fs:[00000030h] 14_2_04A0AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0AA16 mov eax, dword ptr fs:[00000030h] 14_2_04A0AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A23A1C mov eax, dword ptr fs:[00000030h] 14_2_04A23A1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A61C mov eax, dword ptr fs:[00000030h] 14_2_04A3A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A61C mov eax, dword ptr fs:[00000030h] 14_2_04A3A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04ABB260 mov eax, dword ptr fs:[00000030h] 14_2_04ABB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04ABB260 mov eax, dword ptr fs:[00000030h] 14_2_04ABB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1766D mov eax, dword ptr fs:[00000030h] 14_2_04A1766D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8A62 mov eax, dword ptr fs:[00000030h] 14_2_04AD8A62
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h] 14_2_04A2AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h] 14_2_04A2AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h] 14_2_04A2AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h] 14_2_04A2AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h] 14_2_04A2AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A4927A mov eax, dword ptr fs:[00000030h] 14_2_04A4927A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h] 14_2_04A09240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h] 14_2_04A09240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h] 14_2_04A09240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h] 14_2_04A09240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h] 14_2_04A17E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A94257 mov eax, dword ptr fs:[00000030h] 14_2_04A94257
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD5BA5 mov eax, dword ptr fs:[00000030h] 14_2_04AD5BA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h] 14_2_04A34BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h] 14_2_04A34BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h] 14_2_04A34BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC138A mov eax, dword ptr fs:[00000030h] 14_2_04AC138A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04ABD380 mov ecx, dword ptr fs:[00000030h] 14_2_04ABD380
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A11B8F mov eax, dword ptr fs:[00000030h] 14_2_04A11B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A11B8F mov eax, dword ptr fs:[00000030h] 14_2_04A11B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3B390 mov eax, dword ptr fs:[00000030h] 14_2_04A3B390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A32397 mov eax, dword ptr fs:[00000030h] 14_2_04A32397
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A18794 mov eax, dword ptr fs:[00000030h] 14_2_04A18794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h] 14_2_04A87794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h] 14_2_04A87794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h] 14_2_04A87794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h] 14_2_04A303E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2DBE9 mov eax, dword ptr fs:[00000030h] 14_2_04A2DBE9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A437F5 mov eax, dword ptr fs:[00000030h] 14_2_04A437F5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A853CA mov eax, dword ptr fs:[00000030h] 14_2_04A853CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A853CA mov eax, dword ptr fs:[00000030h] 14_2_04A853CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A04F2E mov eax, dword ptr fs:[00000030h] 14_2_04A04F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A04F2E mov eax, dword ptr fs:[00000030h] 14_2_04A04F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3E730 mov eax, dword ptr fs:[00000030h] 14_2_04A3E730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD070D mov eax, dword ptr fs:[00000030h] 14_2_04AD070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD070D mov eax, dword ptr fs:[00000030h] 14_2_04AD070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A70E mov eax, dword ptr fs:[00000030h] 14_2_04A3A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A3A70E mov eax, dword ptr fs:[00000030h] 14_2_04A3A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A2F716 mov eax, dword ptr fs:[00000030h] 14_2_04A2F716
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AC131B mov eax, dword ptr fs:[00000030h] 14_2_04AC131B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9FF10 mov eax, dword ptr fs:[00000030h] 14_2_04A9FF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A9FF10 mov eax, dword ptr fs:[00000030h] 14_2_04A9FF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0DB60 mov ecx, dword ptr fs:[00000030h] 14_2_04A0DB60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1FF60 mov eax, dword ptr fs:[00000030h] 14_2_04A1FF60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8F6A mov eax, dword ptr fs:[00000030h] 14_2_04AD8F6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A33B7A mov eax, dword ptr fs:[00000030h] 14_2_04A33B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A33B7A mov eax, dword ptr fs:[00000030h] 14_2_04A33B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0DB40 mov eax, dword ptr fs:[00000030h] 14_2_04A0DB40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A1EF40 mov eax, dword ptr fs:[00000030h] 14_2_04A1EF40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04AD8B58 mov eax, dword ptr fs:[00000030h] 14_2_04AD8B58
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_04A0F358 mov eax, dword ptr fs:[00000030h] 14_2_04A0F358
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Code function: 1_2_0040ACF0 LdrLoadDll, 1_2_0040ACF0
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.uenpb.xyz
Source: C:\Windows\explorer.exe Network Connect: 1.32.255.152 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.wed8029.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 290000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Memory written: C:\Users\user\Desktop\DHL DOC 3406506482.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Process created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe" Jump to behavior
Source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp, explorer.exe, 00000002.00000000.274832594.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.259040044.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.294378470.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.277072165.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000002.00000000.286668277.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.266152630.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.377694769.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.250248842.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Users\user\Desktop\DHL DOC 3406506482.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532855 Sample: DHL DOC 3406506482.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 DHL DOC 3406506482.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\DHL DOC 3406506482.exe.log, ASCII 10->28 dropped 56 Injects a PE file into a foreign processes 10->56 14 DHL DOC 3406506482.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.uenpb.xyz 1.32.255.152, 49808, 80 BCPL-SGBGPNETGlobalASNSG Singapore 17->30 32 www.wed8029.com 17->32 34 192.168.2.1 unknown unknown 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 explorer.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.32.255.152
 www.uenpb.xyz Singapore
64050 BCPL-SGBGPNETGlobalASNSG true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.uenpb.xyz 1.32.255.152 true
www.wed8029.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.uenpb.xyz/q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN true
  • Avira URL Cloud: safe
 unknown
www.verdugofarms.com/q35x/ true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 low