Windows Analysis Report
DHL_1003671162.exe

Overview

General Information

Sample name: DHL_1003671162.exe
Analysis ID: 1430783
MD5: 1d584d84d4965e7a0da615b32ab85f2e
SHA1: bbb9c2211444450bb34a27f1a98d778e3c96b9bb
SHA256: 061087cd835abcfc3411f0ec4b15ccf80516276a356b2eedc4cb444d0dac0187
Tags: AgentTeslaDHLexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DHL_1003671162.exe Avira: detected
Antivirus detection for URL or domain
Source: http://mail.clslk.com Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Avira: detection malicious, Label: HEUR/AGEN.1323731
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Avira: detection malicious, Label: HEUR/AGEN.1323731
Found malware configuration
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.clslk.com", "Username": "gm@clslk.com", "Password": "NUZRATHinam1978"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Virustotal: Detection: 57% Perma Link
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Virustotal: Detection: 57% Perma Link
Multi AV Scanner detection for submitted file
Source: DHL_1003671162.exe Virustotal: Detection: 57% Perma Link
Source: DHL_1003671162.exe ReversingLabs: Detection: 63%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHL_1003671162.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: DHL_1003671162.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: DHL_1003671162.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49733 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49736 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49738 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49743 -> 50.87.253.239:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49743 -> 50.87.253.239:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 50.87.253.239 50.87.253.239
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 50.87.253.239:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mail.clslk.com
Source: DHL_1003671162.exe, 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.clslk.com
Source: DHL_1003671162.exe, 00000000.00000002.1690593567.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1728354948.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 0000000C.00000002.1839427071.000000000361A000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000011.00000002.1901714817.0000000002623000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL_1003671162.exe, 00000000.00000002.1702919719.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: DHL_1003671162.exe, 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, qmUxKv.exe, 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, umlRMRbjNqD.cs .Net Code: fKv0R
Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, umlRMRbjNqD.cs .Net Code: fKv0R

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.DHL_1003671162.exe.7190000.10.raw.unpack, HomeView.cs Large array initialization: : array initializer size 33604
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0289D98C 0_2_0289D98C
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B6798 0_2_071B6798
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B9528 0_2_071B9528
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B45F8 0_2_071B45F8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B9830 0_2_071B9830
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B58D8 0_2_071B58D8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B6715 0_2_071B6715
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B6756 0_2_071B6756
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071BA7B1 0_2_071BA7B1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071BA7C0 0_2_071BA7C0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B7678 0_2_071B7678
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B7688 0_2_071B7688
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B66F9 0_2_071B66F9
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B9519 0_2_071B9519
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B8531 0_2_071B8531
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B4560 0_2_071B4560
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B4E70 0_2_071B4E70
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071BBED7 0_2_071BBED7
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071BDEC1 0_2_071BDEC1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071BBEE8 0_2_071BBEE8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B3AD8 0_2_071B3AD8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B8AE8 0_2_071B8AE8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B88B0 0_2_071B88B0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B88A0 0_2_071B88A0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE81F28 0_2_0AE81F28
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE8CDE0 0_2_0AE8CDE0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE8AD94 0_2_0AE8AD94
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE84BE0 0_2_0AE84BE0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE873D0 0_2_0AE873D0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE85888 0_2_0AE85888
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE85018 0_2_0AE85018
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE81F18 0_2_0AE81F18
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE85441 0_2_0AE85441
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE85450 0_2_0AE85450
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014BA3D8 6_2_014BA3D8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014BD658 6_2_014BD658
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014B9810 6_2_014B9810
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014B4AD0 6_2_014B4AD0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014B3EB8 6_2_014B3EB8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_014B4200 6_2_014B4200
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_05A08A68 6_2_05A08A68
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_05A0B7F8 6_2_05A0B7F8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_05A09F7C 6_2_05A09F7C
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C9F80 6_2_062C9F80
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C5B80 6_2_062C5B80
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C3398 6_2_062C3398
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C43F8 6_2_062C43F8
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C9038 6_2_062C9038
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C0040 6_2_062C0040
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062CC1A0 6_2_062CC1A0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062CE1A0 6_2_062CE1A0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C54A0 6_2_062C54A0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 6_2_062C3AF0 6_2_062C3AF0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_012AD98C 7_2_012AD98C
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C29F18 7_2_04C29F18
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C21F28 7_2_04C21F28
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C25758 7_2_04C25758
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C272A0 7_2_04C272A0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C25311 7_2_04C25311
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C25320 7_2_04C25320
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C24EE8 7_2_04C24EE8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C21F19 7_2_04C21F19
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_04C24AB0 7_2_04C24AB0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC6798 7_2_06FC6798
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC45F8 7_2_06FC45F8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC9528 7_2_06FC9528
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC58D8 7_2_06FC58D8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC9830 7_2_06FC9830
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC66F9 7_2_06FC66F9
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC7688 7_2_06FC7688
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC7678 7_2_06FC7678
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCA7C0 7_2_06FCA7C0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCA7B1 7_2_06FCA7B1
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC6756 7_2_06FC6756
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC6715 7_2_06FC6715
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC4560 7_2_06FC4560
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC8531 7_2_06FC8531
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC9519 7_2_06FC9519
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC5338 7_2_06FC5338
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCE000 7_2_06FCE000
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCE1BC 7_2_06FCE1BC
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCBEE8 7_2_06FCBEE8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCBED7 7_2_06FCBED7
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC4E81 7_2_06FC4E81
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FCDFF1 7_2_06FCDFF1
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC4C79 7_2_06FC4C79
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC8AE8 7_2_06FC8AE8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC3AD8 7_2_06FC3AD8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC88B0 7_2_06FC88B0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC88A0 7_2_06FC88A0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EAD650 11_2_02EAD650
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EAA490 11_2_02EAA490
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EA4AD0 11_2_02EA4AD0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EA9810 11_2_02EA9810
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EA3EB8 11_2_02EA3EB8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EA4200 11_2_02EA4200
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_02EAA482 11_2_02EAA482
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06419D54 11_2_06419D54
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06429F80 11_2_06429F80
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_064243F8 11_2_064243F8
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06425B80 11_2_06425B80
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06423398 11_2_06423398
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06420040 11_2_06420040
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06429038 11_2_06429038
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_0642C1A0 11_2_0642C1A0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_0642E1A0 11_2_0642E1A0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_064254A0 11_2_064254A0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 11_2_06423AF0 11_2_06423AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_016DD98C 12_2_016DD98C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B1F28 12_2_032B1F28
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B9F28 12_2_032B9F28
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032BBDD8 12_2_032BBDD8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B5320 12_2_032B5320
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B5311 12_2_032B5311
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B72A0 12_2_032B72A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B5758 12_2_032B5758
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B4AB0 12_2_032B4AB0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B1F19 12_2_032B1F19
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B9F18 12_2_032B9F18
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032B4EE8 12_2_032B4EE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A6798 12_2_077A6798
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A9528 12_2_077A9528
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A45F8 12_2_077A45F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A9840 12_2_077A9840
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A58E8 12_2_077A58E8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A6717 12_2_077A6717
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077AA7C0 12_2_077AA7C0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077AA7B1 12_2_077AA7B1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A7678 12_2_077A7678
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A66A8 12_2_077A66A8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A7688 12_2_077A7688
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A4560 12_2_077A4560
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A8540 12_2_077A8540
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A8531 12_2_077A8531
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A9519 12_2_077A9519
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A5348 12_2_077A5348
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A5338 12_2_077A5338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077AE1BC 12_2_077AE1BC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077AE000 12_2_077AE000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077ABEE8 12_2_077ABEE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077ABED7 12_2_077ABED7
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A4E80 12_2_077A4E80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A3AE8 12_2_077A3AE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A8AE8 12_2_077A8AE8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A3AD8 12_2_077A3AD8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A9830 12_2_077A9830
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A58D8 12_2_077A58D8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A88B0 12_2_077A88B0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A88A0 12_2_077A88A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0327D349 16_2_0327D349
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_032796F0 16_2_032796F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_03274AD0 16_2_03274AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_03279EA8 16_2_03279EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_03273EB8 16_2_03273EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_03274200 16_2_03274200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696B400 16_2_0696B400
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06969DCC 16_2_06969DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06979F80 16_2_06979F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06973398 16_2_06973398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06975B80 16_2_06975B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_069743F8 16_2_069743F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06979038 16_2_06979038
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06970040 16_2_06970040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0697E1A0 16_2_0697E1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_069754A0 16_2_069754A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_06973AF0 16_2_06973AF0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0697C1A0 16_2_0697C1A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_025BD98C 17_2_025BD98C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B8C088 17_2_07B8C088
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B8A050 17_2_07B8A050
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B81F28 17_2_07B81F28
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B85450 17_2_07B85450
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B85441 17_2_07B85441
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B873D0 17_2_07B873D0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B85018 17_2_07B85018
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B8A040 17_2_07B8A040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B81F18 17_2_07B81F18
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B84BE0 17_2_07B84BE0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_07B85888 17_2_07B85888
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0320D128 20_2_0320D128
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_03204AD0 20_2_03204AD0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_03209EA8 20_2_03209EA8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_03203EB8 20_2_03203EB8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_03204200 20_2_03204200
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0686B658 20_2_0686B658
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06869DCC 20_2_06869DCC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06879F80 20_2_06879F80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06875B80 20_2_06875B80
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06873398 20_2_06873398
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_068743F8 20_2_068743F8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0687902A 20_2_0687902A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06870040 20_2_06870040
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0687E190 20_2_0687E190
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_068754A0 20_2_068754A0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_06873ADB 20_2_06873ADB
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0687C1A0 20_2_0687C1A0
Sample file is different than original file name gathered from version info
Source: DHL_1003671162.exe, 00000000.00000002.1704965625.0000000007190000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000002.1707261132.000000000B170000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000002.1689302752.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000002.1690593567.0000000002A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename9e4810db-acaa-47dc-a281-6153255fd520.exe4 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000002.1693256058.00000000043DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000000.00000000.1662439926.0000000000542000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameelby.exe0 vs DHL_1003671162.exe
Source: DHL_1003671162.exe, 00000006.00000002.2924858625.0000000000F88000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL_1003671162.exe
Source: DHL_1003671162.exe Binary or memory string: OriginalFilenameelby.exe0 vs DHL_1003671162.exe
Uses 32bit PE files
Source: DHL_1003671162.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: DHL_1003671162.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qmUxKv.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, v9Lsz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, VFo.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 5FJ0H20tobu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, NtdoTGO.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, XBsYgp.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, AwxUa2Na.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 19C9FfZ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, 19C9FfZ.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, soCD8XkwU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, soCD8XkwU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: _0020.SetAccessControl
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: _0020.AddAccessRule
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, piTvKODFSX0jcR75aU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: _0020.SetAccessControl
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs Security API names: _0020.AddAccessRule
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, piTvKODFSX0jcR75aU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@29/16@1/1
Source: C:\Users\user\Desktop\DHL_1003671162.exe File created: C:\Users\user\AppData\Roaming\qmUxKv.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Users\user\Desktop\DHL_1003671162.exe File created: C:\Users\user\AppData\Local\Temp\tmp3999.tmp Jump to behavior
Source: DHL_1003671162.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DHL_1003671162.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL_1003671162.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHL_1003671162.exe Virustotal: Detection: 57%
Source: DHL_1003671162.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\DHL_1003671162.exe File read: C:\Users\user\Desktop\DHL_1003671162.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\qmUxKv.exe C:\Users\user\AppData\Roaming\qmUxKv.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp" Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL_1003671162.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: DHL_1003671162.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_1003671162.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: DHL_1003671162.exe, --.cs .Net Code: _0002
Source: qmUxKv.exe.0.dr, --.cs .Net Code: _0002
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs .Net Code: CG1Rxu67QA System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs .Net Code: CG1Rxu67QA System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL_1003671162.exe.7190000.10.raw.unpack, HomeView.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0289EBE0 pushad ; iretd 0_2_0289EBE1
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B61EF pushad ; retf 0_2_071B61F0
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_071B61E5 pushad ; retf 0_2_071B61E6
Source: C:\Users\user\Desktop\DHL_1003671162.exe Code function: 0_2_0AE82C68 push eax; ret 0_2_0AE82C71
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_012AEBE0 pushad ; iretd 7_2_012AEBE1
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06D2D261 pushad ; iretd 7_2_06D2D26D
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06D24383 push eax; retf 7_2_06D24389
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06D2DE00 push es; retf 7_2_06D2DE0C
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC61EF pushad ; retf 7_2_06FC61F0
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Code function: 7_2_06FC61E5 pushad ; retf 7_2_06FC61E6
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_016DEBE0 pushad ; iretd 12_2_016DEBE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032BBDD8 push eax; iretd 12_2_032BC505
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_032BC4F8 push eax; iretd 12_2_032BC505
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A61EF pushad ; retf 12_2_077A61F0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 12_2_077A61E5 pushad ; retf 12_2_077A61E6
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F595 push es; iretd 16_2_0696F5C8
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F5DD push es; iretd 16_2_0696F5E0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F5CD push es; iretd 16_2_0696F5DC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F5C9 push es; iretd 16_2_0696F5CC
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F510 push es; iretd 16_2_0696F51C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F51D push es; iretd 16_2_0696F520
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F521 push es; iretd 16_2_0696F524
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F555 push es; iretd 16_2_0696F55C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F544 push es; iretd 16_2_0696F548
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F549 push es; iretd 16_2_0696F554
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F571 push es; iretd 16_2_0696F57C
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F57D push es; iretd 16_2_0696F588
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696F56D push es; iretd 16_2_0696F570
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 16_2_0696FB90 push es; ret 16_2_0696FBA0
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 17_2_025BEBE0 pushad ; iretd 17_2_025BEBE1
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Code function: 20_2_0686F5CF push es; iretd 20_2_0686F5DC
Source: DHL_1003671162.exe Static PE information: section name: .text entropy: 7.970864904869302
Source: qmUxKv.exe.0.dr Static PE information: section name: .text entropy: 7.970864904869302
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, UDLi2hNReX4CONvj27.cs High entropy of concatenated method names: 'UtJoL6lkKD', 'tx4ohyfqe8', 'qB9ouJ7iNP', 'kYMoEPUVGR', 'Swuo2tks2g', 'In3oXRCrUi', 'JtAyQaFAqWJMfcu9la', 'iQnkRf1wR97RPvWMG0', 'ANmooWTZ67', 'UMroC1ctgG'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, KqnPq499EHbIyJkR2c8.cs High entropy of concatenated method names: 'ToString', 'QcJICPp2My', 'eVMIRLQ64D', 'OLKIZqZqi1', 'uN8IkOxg9D', 'NS8Il8u6WO', 'LQqIbjSBaf', 'ctDIyDu2EN', 'REPdQWCVtXCbPRHhhoJ', 'lUHsBbCcP3fnxMRO0Sm'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, FreH877o4sX9uPE3R8.cs High entropy of concatenated method names: 'Q7gasY93qA', 'H3BaYUBxlm', 'w786m6GmEk', 'g8A6oXMcKI', 'OICa9lHIuC', 'osCaK790Mn', 'TjWa7PMftu', 'Rc3afMriiJ', 'MsCa0xmSr1', 'cRBaiUo0kQ'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, piTvKODFSX0jcR75aU.cs High entropy of concatenated method names: 'S4WlfLN1ap', 'Iynl037Jk0', 'xxQlidwl2A', 'FkCl502j6J', 'HnylPdJpV0', 'LRLlHdkBmj', 'UIjlFJkedP', 'LeClsuenhH', 'zfult1FKEi', 'tdhlYGgttl'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, X4QbFhkZug2cenpRr5.cs High entropy of concatenated method names: 'zt9xP6OBL', 'AZFN7TMwO', 'c9yDVpiVr', 'M5hAESLWl', 'tuyju6FKG', 'taeVEZExT', 'FToZ59wpwD8bPswR7O', 'ybukZ0rogHfMMmAf2m', 'DJV64vrKk', 'st2IvgsJF'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bsHBr02E3QP21WBYUb.cs High entropy of concatenated method names: 'tEXy8XsE6A', 'sAqyA053R7', 'RkPbroZtkT', 'sw2bSBjaAF', 'mNhbdn4DQK', 'xg8bWbYywV', 'ejIbG69J5G', 'lpmb3NZNgK', 'fTUbcxwVBe', 'oqEbqRBtPS'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, DYrTp3RpBrcAQ48aRP.cs High entropy of concatenated method names: 'vMXvnV5p58', 'QUjvjRhDCY', 'trLvgLqBp6', 'pmSvw9QCK7', 'CBtvSrYsDL', 'fIsvdwIV0R', 'qSGvGG7rjv', 'Qeqv34j0o9', 'VC2vqQIurs', 'shbv9eCMwT'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, yJ4pUYn5sgxJhbv7hC.cs High entropy of concatenated method names: 'ToString', 'x7eX98o8qM', 'IfPXwFiiAc', 'yxdXrbkbHt', 'o6AXSya3Ho', 'uQJXd6f354', 'kLeXWr8R2O', 'YbbXGbKZ5f', 'A1WX3Hagul', 'S3GXcSfUA5'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, LuIa5X9Q5EbKdhRLPSM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S2cIfP9UxH', 'TEjI0RygJx', 'YEjIioXTbT', 'VegI5wtwG1', 'KuQIPvMnVM', 'cx2IHFeP1n', 'PqTIFd2UFg'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, JWZACIxbZJglXKaQMs.cs High entropy of concatenated method names: 'RW96ktGbjg', 'Stt6lC4P69', 'vtU6bp5ieh', 'oFL6ymiT4v', 'eXH6pNnOhS', 'ocx6LjSHTZ', 'oY16hHEWP1', 'KJC61LtAtL', 'VDH6uHFIYi', 'PCD6EDr3PP'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, sQqsr7mVJoIxdM5oA4.cs High entropy of concatenated method names: 'DgRBoFENVg', 'RkXBC8Htnc', 'yRfBRlFxNp', 'RErBk2sfo5', 'AerBlsEKRP', 'unMByscLIB', 'VN8Bp9Uapv', 'tTD6FJmDlG', 'yAb6sIC9uw', 'MJL6tKcXWq'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs High entropy of concatenated method names: 'luPCZxhWTh', 'kNWCkt53PR', 'vq6Cl9cj2E', 'PbUCbayEoc', 'tuGCydIfDK', 'CpyCpoXWOt', 'QXNCLytZrI', 'XZdChSmPCk', 'kamC1aVjIM', 'uTxCuDDxb7'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, CTqb1798DD5AVCLbISG.cs High entropy of concatenated method names: 'XnwBTLFHID', 'XgKBO9yoqG', 'T5OBxYjLp5', 'YjmBN6cQbA', 'pHUB8tmYZU', 'iZuBD6KfcE', 'Di1BAVQGrn', 'RK7BnkedKj', 'zETBj0K3hT', 'ULQBV2rqjR'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bs8JYKbstmUGM4KZC5.cs High entropy of concatenated method names: 'vQa2qBtNyG', 'ptK2K3vCk3', 'rlV2fWtlxp', 'Qun20EDM7s', 'QaO2wMMrQj', 'YjH2rVxU0O', 'Lf72S7kTCS', 'NaS2dFxREr', 'MPP2WtR4qy', 'vRt2GjfrSw'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, P3973JSS1uHOuImRZr.cs High entropy of concatenated method names: 'rPwLTvEFcc', 'nXELObgqWv', 'hSXLxiG1Nw', 'HHyLNmB8Mc', 'lGIL8JmSQy', 'H5RLDUyG9I', 'z8mLAJNR1Q', 'DQwLnbJeDl', 'v38LjPxnWS', 'eltLVJWKsb'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, qBd2SG446YqF3cs3NQ.cs High entropy of concatenated method names: 'p9DpZyqQf0', 'tMOplys8NP', 'cEUpyUBKL8', 'V6ipLgYBmh', 'pxhphL6wGH', 'X11yPanI9X', 'iw1yHgZAMk', 'Ti5yFUuxQZ', 'RLDys8nbrc', 'cppyt0GKqQ'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, naZD7mUeXTTXCKTeje.cs High entropy of concatenated method names: 'IowbNi0sr0', 'HoWbDvcc6v', 'Mrqbn7UxSk', 'GsdbjUrEer', 'Tl2b2n16Lt', 'r3xbXp8w0S', 'mwmbaqfliE', 'wipb68AB4O', 'RrfbBBlQiO', 'kBAbIQ7eqs'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, eRHt7R6gPnlIwRrgTm.cs High entropy of concatenated method names: 'Dispose', 'sDZotBlIgO', 'Iva4w9fmk9', 'wh4QQ8D560', 'Q0LoYliEIk', 'cmxoz558ms', 'ProcessDialogKey', 'Oax4mWeqgW', 'l9t4omAy55', 'UiZ44bGEMJ'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, TugaGtyyvR22O79f5m.cs High entropy of concatenated method names: 'K0C6gGI1tq', 'yjt6wXtY22', 'vXj6rWk85G', 'WDo6SG56rK', 'DnR6fMktEu', 'ySJ6dyYx1C', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, bgN9lyTujGQaMq3Srn.cs High entropy of concatenated method names: 'itjauOfbbs', 'lRlaECd297', 'ToString', 'Ys6akr1AKH', 'Vf0alYyvfQ', 'OxOabSR6UE', 'l6Xay3fN2F', 'U3GapO6MNM', 'fqLaLBlRtS', 'sbqah80EvE'
Source: 0.2.DHL_1003671162.exe.b170000.12.raw.unpack, M1HstWYGcIVYjLGXJk.cs High entropy of concatenated method names: 'DlpLkVSTQd', 'jxjLbvLx9s', 'PHiLpGOv7Q', 'rYipY4Uhe0', 'kDTpzRYtkW', 'n4yLmgKu0M', 'zlMLo3MqAO', 'r1CL4wNJto', 'BhlLCKNR5O', 'CHELRd5TnL'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, UDLi2hNReX4CONvj27.cs High entropy of concatenated method names: 'UtJoL6lkKD', 'tx4ohyfqe8', 'qB9ouJ7iNP', 'kYMoEPUVGR', 'Swuo2tks2g', 'In3oXRCrUi', 'JtAyQaFAqWJMfcu9la', 'iQnkRf1wR97RPvWMG0', 'ANmooWTZ67', 'UMroC1ctgG'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, KqnPq499EHbIyJkR2c8.cs High entropy of concatenated method names: 'ToString', 'QcJICPp2My', 'eVMIRLQ64D', 'OLKIZqZqi1', 'uN8IkOxg9D', 'NS8Il8u6WO', 'LQqIbjSBaf', 'ctDIyDu2EN', 'REPdQWCVtXCbPRHhhoJ', 'lUHsBbCcP3fnxMRO0Sm'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, FreH877o4sX9uPE3R8.cs High entropy of concatenated method names: 'Q7gasY93qA', 'H3BaYUBxlm', 'w786m6GmEk', 'g8A6oXMcKI', 'OICa9lHIuC', 'osCaK790Mn', 'TjWa7PMftu', 'Rc3afMriiJ', 'MsCa0xmSr1', 'cRBaiUo0kQ'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, piTvKODFSX0jcR75aU.cs High entropy of concatenated method names: 'S4WlfLN1ap', 'Iynl037Jk0', 'xxQlidwl2A', 'FkCl502j6J', 'HnylPdJpV0', 'LRLlHdkBmj', 'UIjlFJkedP', 'LeClsuenhH', 'zfult1FKEi', 'tdhlYGgttl'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, X4QbFhkZug2cenpRr5.cs High entropy of concatenated method names: 'zt9xP6OBL', 'AZFN7TMwO', 'c9yDVpiVr', 'M5hAESLWl', 'tuyju6FKG', 'taeVEZExT', 'FToZ59wpwD8bPswR7O', 'ybukZ0rogHfMMmAf2m', 'DJV64vrKk', 'st2IvgsJF'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bsHBr02E3QP21WBYUb.cs High entropy of concatenated method names: 'tEXy8XsE6A', 'sAqyA053R7', 'RkPbroZtkT', 'sw2bSBjaAF', 'mNhbdn4DQK', 'xg8bWbYywV', 'ejIbG69J5G', 'lpmb3NZNgK', 'fTUbcxwVBe', 'oqEbqRBtPS'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, DYrTp3RpBrcAQ48aRP.cs High entropy of concatenated method names: 'vMXvnV5p58', 'QUjvjRhDCY', 'trLvgLqBp6', 'pmSvw9QCK7', 'CBtvSrYsDL', 'fIsvdwIV0R', 'qSGvGG7rjv', 'Qeqv34j0o9', 'VC2vqQIurs', 'shbv9eCMwT'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, yJ4pUYn5sgxJhbv7hC.cs High entropy of concatenated method names: 'ToString', 'x7eX98o8qM', 'IfPXwFiiAc', 'yxdXrbkbHt', 'o6AXSya3Ho', 'uQJXd6f354', 'kLeXWr8R2O', 'YbbXGbKZ5f', 'A1WX3Hagul', 'S3GXcSfUA5'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, LuIa5X9Q5EbKdhRLPSM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'S2cIfP9UxH', 'TEjI0RygJx', 'YEjIioXTbT', 'VegI5wtwG1', 'KuQIPvMnVM', 'cx2IHFeP1n', 'PqTIFd2UFg'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, JWZACIxbZJglXKaQMs.cs High entropy of concatenated method names: 'RW96ktGbjg', 'Stt6lC4P69', 'vtU6bp5ieh', 'oFL6ymiT4v', 'eXH6pNnOhS', 'ocx6LjSHTZ', 'oY16hHEWP1', 'KJC61LtAtL', 'VDH6uHFIYi', 'PCD6EDr3PP'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, sQqsr7mVJoIxdM5oA4.cs High entropy of concatenated method names: 'DgRBoFENVg', 'RkXBC8Htnc', 'yRfBRlFxNp', 'RErBk2sfo5', 'AerBlsEKRP', 'unMByscLIB', 'VN8Bp9Uapv', 'tTD6FJmDlG', 'yAb6sIC9uw', 'MJL6tKcXWq'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, vOhXJ8g3rtYhX0lVPt.cs High entropy of concatenated method names: 'luPCZxhWTh', 'kNWCkt53PR', 'vq6Cl9cj2E', 'PbUCbayEoc', 'tuGCydIfDK', 'CpyCpoXWOt', 'QXNCLytZrI', 'XZdChSmPCk', 'kamC1aVjIM', 'uTxCuDDxb7'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, CTqb1798DD5AVCLbISG.cs High entropy of concatenated method names: 'XnwBTLFHID', 'XgKBO9yoqG', 'T5OBxYjLp5', 'YjmBN6cQbA', 'pHUB8tmYZU', 'iZuBD6KfcE', 'Di1BAVQGrn', 'RK7BnkedKj', 'zETBj0K3hT', 'ULQBV2rqjR'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bs8JYKbstmUGM4KZC5.cs High entropy of concatenated method names: 'vQa2qBtNyG', 'ptK2K3vCk3', 'rlV2fWtlxp', 'Qun20EDM7s', 'QaO2wMMrQj', 'YjH2rVxU0O', 'Lf72S7kTCS', 'NaS2dFxREr', 'MPP2WtR4qy', 'vRt2GjfrSw'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, P3973JSS1uHOuImRZr.cs High entropy of concatenated method names: 'rPwLTvEFcc', 'nXELObgqWv', 'hSXLxiG1Nw', 'HHyLNmB8Mc', 'lGIL8JmSQy', 'H5RLDUyG9I', 'z8mLAJNR1Q', 'DQwLnbJeDl', 'v38LjPxnWS', 'eltLVJWKsb'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, qBd2SG446YqF3cs3NQ.cs High entropy of concatenated method names: 'p9DpZyqQf0', 'tMOplys8NP', 'cEUpyUBKL8', 'V6ipLgYBmh', 'pxhphL6wGH', 'X11yPanI9X', 'iw1yHgZAMk', 'Ti5yFUuxQZ', 'RLDys8nbrc', 'cppyt0GKqQ'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, naZD7mUeXTTXCKTeje.cs High entropy of concatenated method names: 'IowbNi0sr0', 'HoWbDvcc6v', 'Mrqbn7UxSk', 'GsdbjUrEer', 'Tl2b2n16Lt', 'r3xbXp8w0S', 'mwmbaqfliE', 'wipb68AB4O', 'RrfbBBlQiO', 'kBAbIQ7eqs'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, eRHt7R6gPnlIwRrgTm.cs High entropy of concatenated method names: 'Dispose', 'sDZotBlIgO', 'Iva4w9fmk9', 'wh4QQ8D560', 'Q0LoYliEIk', 'cmxoz558ms', 'ProcessDialogKey', 'Oax4mWeqgW', 'l9t4omAy55', 'UiZ44bGEMJ'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, TugaGtyyvR22O79f5m.cs High entropy of concatenated method names: 'K0C6gGI1tq', 'yjt6wXtY22', 'vXj6rWk85G', 'WDo6SG56rK', 'DnR6fMktEu', 'ySJ6dyYx1C', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, bgN9lyTujGQaMq3Srn.cs High entropy of concatenated method names: 'itjauOfbbs', 'lRlaECd297', 'ToString', 'Ys6akr1AKH', 'Vf0alYyvfQ', 'OxOabSR6UE', 'l6Xay3fN2F', 'U3GapO6MNM', 'fqLaLBlRtS', 'sbqah80EvE'
Source: 0.2.DHL_1003671162.exe.4662b80.7.raw.unpack, M1HstWYGcIVYjLGXJk.cs High entropy of concatenated method names: 'DlpLkVSTQd', 'jxjLbvLx9s', 'PHiLpGOv7Q', 'rYipY4Uhe0', 'kDTpzRYtkW', 'n4yLmgKu0M', 'zlMLo3MqAO', 'r1CL4wNJto', 'BhlLCKNR5O', 'CHELRd5TnL'
Drops PE files
Source: C:\Users\user\Desktop\DHL_1003671162.exe File created: C:\Users\user\AppData\Roaming\qmUxKv.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_1003671162.exe File created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp"
Source: C:\Users\user\Desktop\DHL_1003671162.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run boqXv Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_1003671162.exe File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe File opened: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 6972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7656, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 2890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 2A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 4A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 8A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 7330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 9A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: AA40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: B1F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 8A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 1470000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: 4EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 1260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 4B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 8B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 9B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 9D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: AD00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: B390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: C390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: D390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory allocated: 4EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 16D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 8D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 9D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 9F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: AF10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: B4A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: C4A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: D4A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3230000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 32B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 52B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 2570000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 25F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 45F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 84B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 94B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 96C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: A6C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: AAB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 84B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3160000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3370000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory allocated: 3160000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6644 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1829 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Window / User API: threadDelayed 2040 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Window / User API: threadDelayed 1884 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Window / User API: threadDelayed 1005 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Window / User API: threadDelayed 2382 Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 354
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 2826
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 846
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Window / User API: threadDelayed 2536
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7916 Thread sleep count: 2040 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7916 Thread sleep count: 1884 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -99077s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98371s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -98016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -97904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe TID: 7900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 1704 Thread sleep count: 1005 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 1704 Thread sleep count: 2382 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99450s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99325s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99217s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99108s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe TID: 7072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 5476 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7744 Thread sleep count: 354 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7744 Thread sleep count: 2826 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99780s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99436s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98849s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98624s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98516s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7640 Thread sleep time: -98266s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7212 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7380 Thread sleep count: 846 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 7380 Thread sleep count: 2536 > 30
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99560s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99339s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99124s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98780s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98561s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98451s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98338s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -98208s >= -30000s
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe TID: 8116 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL_1003671162.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99733 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99296 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 99077 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98844 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98735 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98610 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98485 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98371 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98141 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 97904 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 97797 Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99450 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99325 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99217 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99108 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99780
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99436
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98849
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98624
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98516
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98266
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99560
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99339
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99124
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98780
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98561
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98451
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98338
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 98208
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Thread delayed: delay time: 922337203685477
Source: DHL_1003671162.exe, 00000000.00000002.1706065904.0000000008960000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: boqXv.exe, 00000014.00000002.2925216759.00000000014B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: qmUxKv.exe, 0000000B.00000002.2925539343.000000000123B000.00000004.00000020.00020000.00000000.sdmp, boqXv.exe, 00000010.00000002.1895522275.0000000001599000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DHL_1003671162.exe, 00000006.00000002.2929626503.0000000001178000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe"
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL_1003671162.exe Memory written: C:\Users\user\Desktop\DHL_1003671162.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Memory written: C:\Users\user\AppData\Roaming\qmUxKv.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Memory written: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qmUxKv.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp3999.tmp" Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Process created: C:\Users\user\Desktop\DHL_1003671162.exe "C:\Users\user\Desktop\DHL_1003671162.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp46C8.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Process created: C:\Users\user\AppData\Roaming\qmUxKv.exe "C:\Users\user\AppData\Roaming\qmUxKv.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp6C70.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmUxKv" /XML "C:\Users\user\AppData\Local\Temp\tmp8A0A.tmp"
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Process created: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe "C:\Users\user\AppData\Roaming\boqXv\boqXv.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Users\user\Desktop\DHL_1003671162.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Users\user\Desktop\DHL_1003671162.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Users\user\AppData\Roaming\qmUxKv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Users\user\AppData\Roaming\qmUxKv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\DHL_1003671162.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\DHL_1003671162.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Roaming\qmUxKv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\boqXv\boqXv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a44990.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.boqXv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.486f5a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.qmUxKv.exe.48aa5c0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_1003671162.exe.3a09970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.0000000003302000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002F6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1693256058.0000000003A08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1894023046.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.00000000033CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2933834693.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1903974100.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1732952396.000000000486F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2933907510.000000000337C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2933168050.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DHL_1003671162.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 7924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qmUxKv.exe PID: 8168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: boqXv.exe PID: 7196, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430783 Sample: DHL_1003671162.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 59 mail.clslk.com 2->59 63 Snort IDS alert for network traffic 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 8 DHL_1003671162.exe 7 2->8         started        12 qmUxKv.exe 5 2->12         started        14 boqXv.exe 2->14         started        16 boqXv.exe 2->16         started        signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\qmUxKv.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\tmp3999.tmp, XML 8->57 dropped 83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 8->85 87 Adds a directory exclusion to Windows Defender 8->87 18 DHL_1003671162.exe 1 5 8->18         started        23 powershell.exe 23 8->23         started        25 schtasks.exe 1 8->25         started        89 Antivirus detection for dropped file 12->89 91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 27 qmUxKv.exe 4 12->27         started        37 2 other processes 12->37 95 Injects a PE file into a foreign processes 14->95 29 boqXv.exe 14->29         started        31 schtasks.exe 14->31         started        33 boqXv.exe 16->33         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 61 mail.clslk.com 50.87.253.239, 49733, 49736, 49738 UNIFIEDLAYER-AS-1US United States 18->61 51 C:\Users\user\AppData\Roaming\...\boqXv.exe, PE32 18->51 dropped 53 C:\Users\user\...\boqXv.exe:Zone.Identifier, ASCII 18->53 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->71 73 Tries to steal Mail credentials (via file / registry access) 18->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 77 Loading BitLocker PowerShell Module 23->77 39 WmiPrvSE.exe 23->39         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 31->45         started        79 Tries to harvest and steal ftp login credentials 33->79 81 Tries to harvest and steal browser information (history, passwords, etc) 33->81 47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.253.239
 mail.clslk.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.clslk.com 50.87.253.239 true