Windows Analysis Report
Doc via Dhl.exe

Overview

General Information

Sample name: Doc via Dhl.exe
Analysis ID: 1427948
MD5: 841929b17d06d403c2e091131d94dc74
SHA1: 5424d400a35c218577bed7e5bbed0533e6f856a9
SHA256: 9b58113a5cd1f82468370a2a42f7273d69139ff2cc609f7e3b98cf105a181524
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "dynex@dynex-kr.com", "Password": " nne dimma080 "}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Virustotal: Detection: 35% Perma Link
Multi AV Scanner detection for submitted file
Source: Doc via Dhl.exe ReversingLabs: Detection: 34%
Source: Doc via Dhl.exe Virustotal: Detection: 35% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Doc via Dhl.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Doc via Dhl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Doc via Dhl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: yXAne.pdb source: Doc via Dhl.exe, JORnjCnA.exe.0.dr
Source: Binary string: yXAne.pdbSHA256 source: Doc via Dhl.exe, JORnjCnA.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 4x nop then jmp 02A731D7h 0_2_02A72857
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 4x nop then jmp 0477273Fh 9_2_04771DBF

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.225:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.224:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.223:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.225:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.6:49712 -> 208.91.199.224:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: Doc via Dhl.exe, 00000008.00000002.3397952254.0000000003321000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 0000000E.00000002.3398680179.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: Doc via Dhl.exe, 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3397952254.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3395459263.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, JORnjCnA.exe, 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 0000000E.00000002.3398680179.0000000003361000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 0000000E.00000002.3395435708.00000000015BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Doc via Dhl.exe, 00000008.00000002.3395459263.00000000015E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hostingAR9#
Source: Doc via Dhl.exe, 00000000.00000002.2176508710.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3397952254.0000000003321000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 00000009.00000002.2212245201.0000000002761000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 0000000E.00000002.3398680179.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Doc via Dhl.exe, JORnjCnA.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd)Microsoft
Source: Doc via Dhl.exe, 00000008.00000002.3397952254.000000000337E000.00000004.00000800.00020000.00000000.sdmp, JORnjCnA.exe, 0000000E.00000002.3398680179.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Doc via Dhl.exe, 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JORnjCnA.exe, 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, cPKWk.cs .Net Code: wFnyHwMara6
Source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, cPKWk.cs .Net Code: wFnyHwMara6

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.JORnjCnA.exe.37d8658.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.JORnjCnA.exe.3813c78.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Doc via Dhl.exe.4ae49e8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.Doc via Dhl.exe.52a0000.4.raw.unpack, LoginForm.cs Large array initialization: : array initializer size 33603
.NET source code contains very large strings
Source: Doc via Dhl.exe, Form1.cs Long String: Length: 131612
Source: JORnjCnA.exe.0.dr, Form1.cs Long String: Length: 131612
Detected potential crypto function
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_02A74FD8 0_2_02A74FD8
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_02ACD59C 0_2_02ACD59C
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0517001D 0_2_0517001D
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_05170040 0_2_05170040
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_086497D9 0_2_086497D9
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_08643B70 0_2_08643B70
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864CBC0 0_2_0864CBC0
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_08643B80 0_2_08643B80
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864DE60 0_2_0864DE60
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864E28B 0_2_0864E28B
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864E298 0_2_0864E298
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864C350 0_2_0864C350
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_08645690 0_2_08645690
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_0864C788 0_2_0864C788
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016C60AC 8_2_016C60AC
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016C8F90 8_2_016C8F90
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016C4530 8_2_016C4530
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016C7410 8_2_016C7410
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016CDF58 8_2_016CDF58
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_0319C7B8 8_2_0319C7B8
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_03194AC8 8_2_03194AC8
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_0319DF9E 8_2_0319DF9E
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_03193EB0 8_2_03193EB0
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_031941F8 8_2_031941F8
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_00A9D59C 9_2_00A9D59C
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04774610 9_2_04774610
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04DA9B00 9_2_04DA9B00
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04DA0040 9_2_04DA0040
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04DA0007 9_2_04DA0007
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04DA6FD8 9_2_04DA6FD8
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081C96A9 9_2_081C96A9
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081CCBC0 9_2_081CCBC0
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081CE298 9_2_081CE298
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081CC350 9_2_081CC350
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081CC788 9_2_081CC788
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081C3B7B 9_2_081C3B7B
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081C3B80 9_2_081C3B80
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081CDE60 9_2_081CDE60
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01664688 14_2_01664688
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01664530 14_2_01664530
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01667410 14_2_01667410
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_0166DF58 14_2_0166DF58
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_0182E024 14_2_0182E024
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_0182C7B8 14_2_0182C7B8
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01824AC8 14_2_01824AC8
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01823EB0 14_2_01823EB0
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_018241F8 14_2_018241F8
Sample file is different than original file name gathered from version info
Source: Doc via Dhl.exe, 00000000.00000002.2179896664.00000000052A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2176508710.0000000002C5A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename706cda64-a16e-499f-bc0d-e021097210aa.exe4 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2177050686.0000000004885000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2180324079.0000000005FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename* vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2181309333.0000000008B70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename706cda64-a16e-499f-bc0d-e021097210aa.exe4 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000002.2173043003.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000000.00000000.2132207369.00000000008E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameyXAne.exeT vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000008.00000002.3395459263.00000000015B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000008.00000002.3394458591.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename706cda64-a16e-499f-bc0d-e021097210aa.exe4 vs Doc via Dhl.exe
Source: Doc via Dhl.exe, 00000008.00000002.3394850092.0000000001359000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Doc via Dhl.exe
Source: Doc via Dhl.exe Binary or memory string: OriginalFilenameyXAne.exeT vs Doc via Dhl.exe
Uses 32bit PE files
Source: Doc via Dhl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.JORnjCnA.exe.37d8658.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.JORnjCnA.exe.3813c78.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Doc via Dhl.exe.4ae49e8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Doc via Dhl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JORnjCnA.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, XHaA6e0yeWGIFLXZh0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: _0020.SetAccessControl
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: _0020.AddAccessRule
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: _0020.SetAccessControl
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, CoktPaSc1kjhq5jm3Y.cs Security API names: _0020.AddAccessRule
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, XHaA6e0yeWGIFLXZh0.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/5
Source: C:\Users\user\Desktop\Doc via Dhl.exe File created: C:\Users\user\AppData\Roaming\JORnjCnA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Mutant created: \Sessions\1\BaseNamedObjects\IuvmBRKsjYOqPQSnvH
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2488:120:WilError_03
Source: C:\Users\user\Desktop\Doc via Dhl.exe File created: C:\Users\user\AppData\Local\Temp\tmp1E38.tmp Jump to behavior
Source: Doc via Dhl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Doc via Dhl.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Doc via Dhl.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Doc via Dhl.exe ReversingLabs: Detection: 34%
Source: Doc via Dhl.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\Doc via Dhl.exe File read: C:\Users\user\Desktop\Doc via Dhl.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Doc via Dhl.exe "C:\Users\user\Desktop\Doc via Dhl.exe"
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc via Dhl.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JORnjCnA.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp1E38.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Users\user\Desktop\Doc via Dhl.exe "C:\Users\user\Desktop\Doc via Dhl.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe C:\Users\user\AppData\Roaming\JORnjCnA.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp2DD8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe"
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe"
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc via Dhl.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp1E38.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Users\user\Desktop\Doc via Dhl.exe "C:\Users\user\Desktop\Doc via Dhl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp2DD8.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Doc via Dhl.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Doc via Dhl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Doc via Dhl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Doc via Dhl.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: yXAne.pdb source: Doc via Dhl.exe, JORnjCnA.exe.0.dr
Source: Binary string: yXAne.pdbSHA256 source: Doc via Dhl.exe, JORnjCnA.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, CoktPaSc1kjhq5jm3Y.cs .Net Code: sNptBTMUFj System.Reflection.Assembly.Load(byte[])
Source: 0.2.Doc via Dhl.exe.52a0000.4.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, CoktPaSc1kjhq5jm3Y.cs .Net Code: sNptBTMUFj System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Doc via Dhl.exe Static PE information: 0xAEEC3B1A [Sat Dec 30 15:13:30 2062 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 0_2_02AC5DF8 push esp; iretd 0_2_02AC5E01
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016C1243 push eax; iretd 8_2_016C1249
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_016CB92F push es; ret 8_2_016CB940
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_04DAB790 push eax; mov dword ptr [esp], edx 9_2_04DAB7A4
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 9_2_081C3425 pushad ; retf 9_2_081C3426
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Code function: 14_2_01661243 push eax; iretd 14_2_01661249
Source: Doc via Dhl.exe Static PE information: section name: .text entropy: 7.290719475659586
Source: JORnjCnA.exe.0.dr Static PE information: section name: .text entropy: 7.290719475659586
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, sZ4VrP1Pq2tUcEwZkV.cs High entropy of concatenated method names: 'Wt373TFAF5', 'hxV7rdLLHo', 'R3M7yNT8pU', 'psu7He3Prq', 'Rgt7YhSARG', 'BEL7DObHJ2', 'v667Stwnpd', 'Jp67ILvoEd', 'c2w7omnuwS', 'dOA7e9ii0O'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, FWfRwwwJ0VPcjiUZicA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TPNhPqlpoe', 'KY0hpS2fOF', 'zs0hvGXbxg', 'TAahEuEiAQ', 'T29h5BCDu8', 'nHDhxFdWCZ', 'MIHhM7Mmd3'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, IpxXLO9YvglOGIGXii.cs High entropy of concatenated method names: 'EcOYQjJHBL', 's1YYrExpAs', 'DHdYHTpkax', 'HkvYDgQyTC', 'MoMYSLe9pU', 'erbH5pOSUq', 'ydbHxsWly9', 'PIyHMemdIu', 'ghiH1jKu45', 'MVfH6mVcH0'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, u2SKvWqmABLA4v9fpB.cs High entropy of concatenated method names: 'iPbD3lcot3', 'NukDyPHSUl', 'Fs0DYtEDjT', 'SUMYsHquBK', 'HnjYz7RVpY', 'VLZDu2PFof', 'aTRDwe1F5r', 'nSVDblbLvl', 'zJRDJIeg9b', 'JcaDt8UmsE'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, JLGekDzXxxRq8hf9C2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lJ8micYkpY', 'u1vmTgDShk', 'sIJmGUvCaq', 'sUHmRMPitn', 'VLKm7nN0mE', 'w8qmmfAHKD', 'CfFmhhc2Zt'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, upCDQArMxOWehG4KA5.cs High entropy of concatenated method names: 'Dispose', 'goJw6n3NvO', 'VQGbl38JtM', 'WeBccFBYRO', 'zhZws4VrPP', 'L2twzUcEwZ', 'ProcessDialogKey', 'BVHbuYuaDs', 'Atbbw4lGIE', 'dqhbbRHbGF'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, SCXpvutIP60Q7MNP2J.cs High entropy of concatenated method names: 'wN1wDHaA6e', 'geWwSGIFLX', 'nLXwoWqj3P', 'rMVwe8n4Tw', 'S2swT3lnpx', 'LLOwGYvglO', 'h09TVUsrhKR6apEIDI', 'llGwXIrr9yitFJ22WQ', 'n6mwwZA9iD', 'ie5wJvFC8R'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, I4TwGqNNe6fXpp2s3l.cs High entropy of concatenated method names: 'I2KHaTjv5F', 'WTRHVRrGFg', 'vAxyKOj9tP', 'iMUyn0QrO9', 'WcgyFwqOS9', 'IIfy2K07mm', 'I4kyqoVryo', 'leZyXegAQF', 'zknyfKUMDv', 'RCiyCyUOE7'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, U7I6CqOV4hEK2WnYXJ.cs High entropy of concatenated method names: 'MDgi0VITsU', 'HOyi8n8G81', 'SJ9i9F0xn5', 'd66ilW6nmN', 'SuPinrZg3L', 'JKTiFOV99v', 'Ny0iqgT2wj', 'zoxiXI5WI9', 'wMeiCUtJnP', 'DREidWgwLa'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, HKgXv6f4E2PVi8EffN.cs High entropy of concatenated method names: 'aGTD4N8gpi', 'WFHDZNHYRm', 'f1qDB2pdYg', 'ys3DgypAEc', 'NIuDatKHl1', 'c3EDkprIh4', 'znWDVUITTp', 'NCAD0wtRJ7', 'f9JD8BiAS7', 'kqoDNaJ7Pf'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, I0ZywQbqwCMPcKL8Zq.cs High entropy of concatenated method names: 'vf7BAgCRB', 'BO1gPZdpm', 'VN1kZ4Ny0', 'beRVIvPSG', 'ItB8f1l1B', 'w8GNjwteb', 'lALM5RtElLcpt8KpPW', 'AdpYKFBs6mjYlLprKw', 'GW77VvYZ9', 'g5hhuAY28'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, c2nCxRwwLSZXQoOq8Dc.cs High entropy of concatenated method names: 'ToString', 'z83hJPvFKm', 'kfbhtKRwhw', 'UG2hQBmOGE', 'XpFh3HLgen', 'js9hr215kF', 'jDFhy978Af', 'a5bhH9ENQH', 'VPlTUR7qd85HbSinBjN', 'ft6Pwx7EA4jNWwtqhRT'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, VVW3fAyJyWOp4p139n.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oBSb6m6t1R', 'JRybse7AjV', 'bhIbzNppBv', 'bedJuhGIkY', 'IUaJwbdxH0', 'RWgJbgmWkY', 'md3JJfhkTR', 'PvRF0UUC4u4md2hkl0F'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, XHaA6e0yeWGIFLXZh0.cs High entropy of concatenated method names: 'oPVrPYcB6u', 'JQXrpbp3f6', 'wkNrvPACUx', 'LEhrEAry7A', 'k0Yr5CDOQn', 'x91rxK6L3O', 'tJrrMiviR1', 'FWvr1iDrLK', 'y4mr6N86In', 'HMArsLnMo3'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, pHbGFRskfJw4uI981M.cs High entropy of concatenated method names: 'UlVmwLBwmL', 'lKKmJRHhIG', 'OVimt65niM', 'a8Fm3Kd7To', 'XZOmrMMOdH', 'UBxmHybJZW', 'PSSmYek3Ca', 'IWX7M59SIe', 'YT471XyVeE', 'QQg761k1S2'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, WCpcTqx9lFvjHjqU3O.cs High entropy of concatenated method names: 'gCbR1HRp6u', 'NhaRsYbYPU', 'NSH7uIhUoE', 'b5t7wdiyeJ', 'DiuRdR3JSe', 'tGSRUn4hCN', 'rgBROJTm3n', 'HtdRPmG7oT', 'V4DRpbV0SN', 'eClRvdDtJf'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, ql0iGlwueNRHFyeJjAf.cs High entropy of concatenated method names: 'JIGm4Ogvou', 'ddpmZhyc5T', 'GsPmBH9RMd', 'gDomgsYu1U', 'LdemaBjRMR', 'n2Ymk5Mfvd', 'dJSmV1wG0h', 'jLqm0S8CFW', 'WQBm8hrKRJ', 'B03mNu6msr'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, jdIIGi8LXWqj3PmMV8.cs High entropy of concatenated method names: 'uBcygSP54u', 'ro5ykLuq3U', 'ypKy0oal8h', 'wpyy86pemh', 'EDWyTFABbM', 'RydyGfaeul', 'Hb3yRgrVDw', 'vKWy7LvDKH', 'vclymXldLJ', 'oRZyhbgigC'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, CoktPaSc1kjhq5jm3Y.cs High entropy of concatenated method names: 'MknJQQbXVJ', 'AmPJ3UpxHA', 'HeBJrGBfVJ', 'zeoJyYLBoe', 'ioGJHemidX', 'DPNJYxGRhf', 'jhdJDLBmhB', 'tPKJSDXCGh', 'VMlJIFshyV', 'BcXJoVkefR'
Source: 0.2.Doc via Dhl.exe.4927568.2.raw.unpack, hYuaDs6atb4lGIEJqh.cs High entropy of concatenated method names: 'EiP792pgsg', 'xcm7lGRv5U', 'Efd7KBHHXM', 'LOb7n6EXWQ', 'z0n7PiGmdM', 'UH27FSJTr3', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, sZ4VrP1Pq2tUcEwZkV.cs High entropy of concatenated method names: 'Wt373TFAF5', 'hxV7rdLLHo', 'R3M7yNT8pU', 'psu7He3Prq', 'Rgt7YhSARG', 'BEL7DObHJ2', 'v667Stwnpd', 'Jp67ILvoEd', 'c2w7omnuwS', 'dOA7e9ii0O'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, FWfRwwwJ0VPcjiUZicA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TPNhPqlpoe', 'KY0hpS2fOF', 'zs0hvGXbxg', 'TAahEuEiAQ', 'T29h5BCDu8', 'nHDhxFdWCZ', 'MIHhM7Mmd3'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, IpxXLO9YvglOGIGXii.cs High entropy of concatenated method names: 'EcOYQjJHBL', 's1YYrExpAs', 'DHdYHTpkax', 'HkvYDgQyTC', 'MoMYSLe9pU', 'erbH5pOSUq', 'ydbHxsWly9', 'PIyHMemdIu', 'ghiH1jKu45', 'MVfH6mVcH0'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, u2SKvWqmABLA4v9fpB.cs High entropy of concatenated method names: 'iPbD3lcot3', 'NukDyPHSUl', 'Fs0DYtEDjT', 'SUMYsHquBK', 'HnjYz7RVpY', 'VLZDu2PFof', 'aTRDwe1F5r', 'nSVDblbLvl', 'zJRDJIeg9b', 'JcaDt8UmsE'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, JLGekDzXxxRq8hf9C2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lJ8micYkpY', 'u1vmTgDShk', 'sIJmGUvCaq', 'sUHmRMPitn', 'VLKm7nN0mE', 'w8qmmfAHKD', 'CfFmhhc2Zt'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, upCDQArMxOWehG4KA5.cs High entropy of concatenated method names: 'Dispose', 'goJw6n3NvO', 'VQGbl38JtM', 'WeBccFBYRO', 'zhZws4VrPP', 'L2twzUcEwZ', 'ProcessDialogKey', 'BVHbuYuaDs', 'Atbbw4lGIE', 'dqhbbRHbGF'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, SCXpvutIP60Q7MNP2J.cs High entropy of concatenated method names: 'wN1wDHaA6e', 'geWwSGIFLX', 'nLXwoWqj3P', 'rMVwe8n4Tw', 'S2swT3lnpx', 'LLOwGYvglO', 'h09TVUsrhKR6apEIDI', 'llGwXIrr9yitFJ22WQ', 'n6mwwZA9iD', 'ie5wJvFC8R'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, I4TwGqNNe6fXpp2s3l.cs High entropy of concatenated method names: 'I2KHaTjv5F', 'WTRHVRrGFg', 'vAxyKOj9tP', 'iMUyn0QrO9', 'WcgyFwqOS9', 'IIfy2K07mm', 'I4kyqoVryo', 'leZyXegAQF', 'zknyfKUMDv', 'RCiyCyUOE7'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, U7I6CqOV4hEK2WnYXJ.cs High entropy of concatenated method names: 'MDgi0VITsU', 'HOyi8n8G81', 'SJ9i9F0xn5', 'd66ilW6nmN', 'SuPinrZg3L', 'JKTiFOV99v', 'Ny0iqgT2wj', 'zoxiXI5WI9', 'wMeiCUtJnP', 'DREidWgwLa'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, HKgXv6f4E2PVi8EffN.cs High entropy of concatenated method names: 'aGTD4N8gpi', 'WFHDZNHYRm', 'f1qDB2pdYg', 'ys3DgypAEc', 'NIuDatKHl1', 'c3EDkprIh4', 'znWDVUITTp', 'NCAD0wtRJ7', 'f9JD8BiAS7', 'kqoDNaJ7Pf'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, I0ZywQbqwCMPcKL8Zq.cs High entropy of concatenated method names: 'vf7BAgCRB', 'BO1gPZdpm', 'VN1kZ4Ny0', 'beRVIvPSG', 'ItB8f1l1B', 'w8GNjwteb', 'lALM5RtElLcpt8KpPW', 'AdpYKFBs6mjYlLprKw', 'GW77VvYZ9', 'g5hhuAY28'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, c2nCxRwwLSZXQoOq8Dc.cs High entropy of concatenated method names: 'ToString', 'z83hJPvFKm', 'kfbhtKRwhw', 'UG2hQBmOGE', 'XpFh3HLgen', 'js9hr215kF', 'jDFhy978Af', 'a5bhH9ENQH', 'VPlTUR7qd85HbSinBjN', 'ft6Pwx7EA4jNWwtqhRT'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, VVW3fAyJyWOp4p139n.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oBSb6m6t1R', 'JRybse7AjV', 'bhIbzNppBv', 'bedJuhGIkY', 'IUaJwbdxH0', 'RWgJbgmWkY', 'md3JJfhkTR', 'PvRF0UUC4u4md2hkl0F'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, XHaA6e0yeWGIFLXZh0.cs High entropy of concatenated method names: 'oPVrPYcB6u', 'JQXrpbp3f6', 'wkNrvPACUx', 'LEhrEAry7A', 'k0Yr5CDOQn', 'x91rxK6L3O', 'tJrrMiviR1', 'FWvr1iDrLK', 'y4mr6N86In', 'HMArsLnMo3'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, pHbGFRskfJw4uI981M.cs High entropy of concatenated method names: 'UlVmwLBwmL', 'lKKmJRHhIG', 'OVimt65niM', 'a8Fm3Kd7To', 'XZOmrMMOdH', 'UBxmHybJZW', 'PSSmYek3Ca', 'IWX7M59SIe', 'YT471XyVeE', 'QQg761k1S2'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, WCpcTqx9lFvjHjqU3O.cs High entropy of concatenated method names: 'gCbR1HRp6u', 'NhaRsYbYPU', 'NSH7uIhUoE', 'b5t7wdiyeJ', 'DiuRdR3JSe', 'tGSRUn4hCN', 'rgBROJTm3n', 'HtdRPmG7oT', 'V4DRpbV0SN', 'eClRvdDtJf'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, ql0iGlwueNRHFyeJjAf.cs High entropy of concatenated method names: 'JIGm4Ogvou', 'ddpmZhyc5T', 'GsPmBH9RMd', 'gDomgsYu1U', 'LdemaBjRMR', 'n2Ymk5Mfvd', 'dJSmV1wG0h', 'jLqm0S8CFW', 'WQBm8hrKRJ', 'B03mNu6msr'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, jdIIGi8LXWqj3PmMV8.cs High entropy of concatenated method names: 'uBcygSP54u', 'ro5ykLuq3U', 'ypKy0oal8h', 'wpyy86pemh', 'EDWyTFABbM', 'RydyGfaeul', 'Hb3yRgrVDw', 'vKWy7LvDKH', 'vclymXldLJ', 'oRZyhbgigC'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, CoktPaSc1kjhq5jm3Y.cs High entropy of concatenated method names: 'MknJQQbXVJ', 'AmPJ3UpxHA', 'HeBJrGBfVJ', 'zeoJyYLBoe', 'ioGJHemidX', 'DPNJYxGRhf', 'jhdJDLBmhB', 'tPKJSDXCGh', 'VMlJIFshyV', 'BcXJoVkefR'
Source: 0.2.Doc via Dhl.exe.8b70000.7.raw.unpack, hYuaDs6atb4lGIEJqh.cs High entropy of concatenated method names: 'EiP792pgsg', 'xcm7lGRv5U', 'Efd7KBHHXM', 'LOb7n6EXWQ', 'z0n7PiGmdM', 'UH27FSJTr3', 'Next', 'Next', 'Next', 'NextBytes'
Drops PE files
Source: C:\Users\user\Desktop\Doc via Dhl.exe File created: C:\Users\user\AppData\Roaming\JORnjCnA.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp1E38.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 2524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 3744, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Doc via Dhl.exe, 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, Doc via Dhl.exe, 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JORnjCnA.exe, 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLESELECT * FROM WIN32_COMPUTERSYSTEM
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 6280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 7280000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 73C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 83C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 8C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 9C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: AC20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: BC20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 3320000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 4730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 5E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 6E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 6F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 7F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 8780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 5E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 1820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 3360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory allocated: 30E0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4972 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 606 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7723 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Window / User API: threadDelayed 3602 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Window / User API: threadDelayed 6227 Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Window / User API: threadDelayed 2053
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Window / User API: threadDelayed 7814
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6032 Thread sleep count: 4972 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2360 Thread sleep count: 606 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1036 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1352 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 1836 Thread sleep count: 3602 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99772s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 1836 Thread sleep count: 6227 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98405s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -98063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97664s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -97094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -96110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -95110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe TID: 5424 Thread sleep time: -94110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 3992 Thread sleep count: 2053 > 30
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99888s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 3992 Thread sleep count: 7814 > 30
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99452s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99124s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98898s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98796s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98462s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98138s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97702s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97374s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96937s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96828s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96718s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96609s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96499s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96384s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96171s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -96062s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95953s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95843s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95734s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95624s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95515s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95406s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95296s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95187s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -95078s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -94968s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -94859s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -94749s >= -30000s
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe TID: 5056 Thread sleep time: -94640s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Doc via Dhl.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99772 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99532 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99282 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98843 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98734 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98516 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98405 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98297 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98188 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 98063 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97938 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97828 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97664 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97547 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 97094 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96969 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96860 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96735 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96610 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96485 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96360 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96235 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 96110 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95985 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95860 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95735 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95610 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95485 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95360 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95235 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 95110 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94985 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94860 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94735 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94610 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94485 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94360 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94235 Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Thread delayed: delay time: 94110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99888
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99452
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99124
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98898
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98796
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98462
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98138
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97702
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97374
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96937
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96828
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96718
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96609
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96499
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96384
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96171
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 96062
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95953
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95843
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95734
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95624
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95515
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95406
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95296
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95187
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 95078
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 94968
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 94859
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 94749
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Thread delayed: delay time: 94640
Source: JORnjCnA.exe, 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Doc via Dhl.exe, 00000000.00000002.2180324079.0000000005FE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}#
Source: JORnjCnA.exe, 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVBox
Source: Doc via Dhl.exe, 00000008.00000002.3395459263.0000000001678000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: JORnjCnA.exe, 0000000E.00000002.3395435708.000000000162D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Doc via Dhl.exe, 00000000.00000002.2181309333.0000000008B70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VmciHm7pUp
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Code function: 8_2_03197180 CheckRemoteDebuggerPresent, 8_2_03197180
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc via Dhl.exe"
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JORnjCnA.exe"
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc via Dhl.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Doc via Dhl.exe Memory written: C:\Users\user\Desktop\Doc via Dhl.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Memory written: C:\Users\user\AppData\Roaming\JORnjCnA.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Doc via Dhl.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp1E38.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Process created: C:\Users\user\Desktop\Doc via Dhl.exe "C:\Users\user\Desktop\Doc via Dhl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JORnjCnA" /XML "C:\Users\user\AppData\Local\Temp\tmp2DD8.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Process created: C:\Users\user\AppData\Roaming\JORnjCnA.exe "C:\Users\user\AppData\Roaming\JORnjCnA.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Users\user\Desktop\Doc via Dhl.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Users\user\Desktop\Doc via Dhl.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Users\user\AppData\Roaming\JORnjCnA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Users\user\AppData\Roaming\JORnjCnA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3397952254.0000000003378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3398680179.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3398680179.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3397952254.0000000003353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 2524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 1948, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Doc via Dhl.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Doc via Dhl.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\JORnjCnA.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3398680179.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3397952254.0000000003353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 2524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 1948, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.3813c78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4ae49e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Doc via Dhl.exe.4aa93c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.JORnjCnA.exe.37d8658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3397952254.0000000003378000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3398680179.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3398680179.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3397952254.0000000003353000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3394458591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2213857721.00000000037D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177050686.0000000004AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 2524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Doc via Dhl.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JORnjCnA.exe PID: 1948, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427948 Sample: Doc via Dhl.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 44 us2.smtp.mailhostbox.com 2->44 46 ip-api.com 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 15 other signatures 2->60 8 Doc via Dhl.exe 7 2->8         started        12 JORnjCnA.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\JORnjCnA.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp1E38.tmp, XML 8->42 dropped 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->62 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 Doc via Dhl.exe 15 2 8->19         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 72 Machine Learning detection for dropped file 12->72 24 JORnjCnA.exe 12->24         started        26 schtasks.exe 12->26         started        28 JORnjCnA.exe 12->28         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 30 conhost.exe 14->30         started        32 WmiPrvSE.exe 14->32         started        34 conhost.exe 17->34         started        48 ip-api.com 208.95.112.1, 49710, 49713, 80 TUT-ASUS United States 19->48 50 208.91.198.143, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->50 52 3 other IPs or domains 19->52 36 conhost.exe 22->36         started        76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 38 conhost.exe 26->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
208.91.199.225
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.223
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.224
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.223 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high