Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
24sBT3Cffz.exe

Overview

General Information

Sample name:24sBT3Cffz.exe
renamed because original name is a hash value
Original sample name:a225b14bc9d3330a0ced397bd815633e6918449ac8213c90c00261350925b5cb.exe
Analysis ID:1639743
MD5:39fd08610be339ba478d2fa411c8eb74
SHA1:e4667be1cb9e609e044b7a7325e762f9bcb2ef68
SHA256:a225b14bc9d3330a0ced397bd815633e6918449ac8213c90c00261350925b5cb
Tags:exeuser-zhuzhu0009
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 24sBT3Cffz.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\24sBT3Cffz.exe" MD5: 39FD08610BE339BA478D2FA411C8EB74)
    • DHL8900067.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\24sBT3Cffz.exe" MD5: 4EE215AEB0752362B68886D57F5809EF)
  • wscript.exe (PID: 1332 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • DHL8900067.exe (PID: 2140 cmdline: "C:\Users\user\AppData\Local\directory\DHL8900067.exe" MD5: 4EE215AEB0752362B68886D57F5809EF)
      • DHL8900067.exe (PID: 1948 cmdline: "C:\Users\user\AppData\Local\directory\DHL8900067.exe" MD5: 4EE215AEB0752362B68886D57F5809EF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendMessage?chat_id=5061956073"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          0000000C.00000002.2833119001.0000000004883000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000C.00000002.2833119001.0000000004883000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 58 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.DHL8900067.exe.3a53658.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                15.2.DHL8900067.exe.3a53658.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  15.2.DHL8900067.exe.3a53658.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    15.2.DHL8900067.exe.3a53658.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x32b6e:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x32be0:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x32c6a:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x32cfc:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x32d66:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x32dd8:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x32e6e:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x32efe:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    15.2.DHL8900067.exe.3a40000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 99 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , ProcessId: 1332, ProcessName: wscript.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs" , ProcessId: 1332, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\DHL8900067.exe, ProcessId: 7580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-16T06:51:40.942878+010028517791Malware Command and Control Activity Detected192.168.2.449726149.154.167.220443TCP
                      2025-03-16T06:52:00.177453+010028517791Malware Command and Control Activity Detected192.168.2.449729149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-16T06:51:40.942878+010028528151Malware Command and Control Activity Detected192.168.2.449726149.154.167.220443TCP
                      2025-03-16T06:52:00.177453+010028528151Malware Command and Control Activity Detected192.168.2.449729149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-16T06:51:40.772575+010018100081Potentially Bad Traffic192.168.2.449726149.154.167.220443TCP
                      2025-03-16T06:52:00.009500+010018100081Potentially Bad Traffic192.168.2.449729149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 24sBT3Cffz.exeAvira: detected
                      Found malware configuration
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendMessage?chat_id=5061956073"}
                      Source: DHL8900067.exe.2140.14.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendMessage"}
                      Multi AV Scanner detection for submitted file
                      Source: 24sBT3Cffz.exeVirustotal: Detection: 65%Perma Link
                      Source: 24sBT3Cffz.exeReversingLabs: Detection: 63%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeUnpacked PE file: 12.2.DHL8900067.exe.4360000.6.unpack
                      Source: 24sBT3Cffz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49724 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49727 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49729 version: TLS 1.2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AEDBBE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00ABC2A2 FindFirstFileExW,0_2_00ABC2A2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF68EE FindFirstFileW,FindClose,0_2_00AF68EE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AF698F
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED076
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED3A9
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF9642
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF979D
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AF9B2B
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AF5C97
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00406725 FindFirstFileExW,12_2_00406725
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,12_2_0095DBBE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0092C2A2 FindFirstFileExW,12_2_0092C2A2
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009668EE FindFirstFileW,FindClose,12_2_009668EE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,12_2_0096698F
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0095D076
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0095D3A9
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00969642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00969642
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0096979D
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00969B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_00969B2B
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00965C97 FindFirstFileW,FindNextFileW,FindClose,12_2_00965C97
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_00406725 FindFirstFileExW,15_2_00406725

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49726 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49729 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49726 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49729 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49726 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49729 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: POST /bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd643dd612f127Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd643c7c9160bdHost: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AFCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00AFCE44
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd643dd612f127Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.00000000048B5000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.0000000004870000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: DHL8900067.exe, DHL8900067.exe, 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004321000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.0000000004821000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.00000000042D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DHL8900067.exe, DHL8900067.exe, 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: DHL8900067.exe, DHL8900067.exe, 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.0000000004821000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.00000000042D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.0000000004821000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.00000000042D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.00000000048B5000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: DHL8900067.exe, DHL8900067.exe, 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.00000000042D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/
                      Source: DHL8900067.exe, 0000000C.00000002.2833119001.00000000048B5000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6900973449:AAF8wx9iUPZvdsBE34vKz_RL7sCyp2owiPA/sendDocument
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49724 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49727 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49729 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, pmGIa7.cs.Net Code: ovVNs
                      Source: 12.2.DHL8900067.exe.417058.0.raw.unpack, pmGIa7.cs.Net Code: ovVNs
                      Source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, pmGIa7.cs.Net Code: ovVNs
                      Source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, pmGIa7.cs.Net Code: ovVNs
                      Source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, pmGIa7.cs.Net Code: ovVNs
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AFEAFF
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AFED6A
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_0096ED6A
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AFEAFF
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00AEAA57
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B19576
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_00989576

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Binary is likely a compiled AutoIt script file
                      Source: 24sBT3Cffz.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                      Source: 24sBT3Cffz.exe, 00000000.00000003.2598529546.0000000004181000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1abdec8a-7
                      Source: 24sBT3Cffz.exe, 00000000.00000003.2598529546.0000000004181000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f1dec353-7
                      Source: 24sBT3Cffz.exe, 00000000.00000002.2610129036.0000000000B42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d2d9b69d-5
                      Source: 24sBT3Cffz.exe, 00000000.00000002.2610129036.0000000000B42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_aa6e0c1e-4
                      Source: DHL8900067.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                      Source: DHL8900067.exe, 0000000C.00000002.2830003919.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3b193d01-1
                      Source: DHL8900067.exe, 0000000C.00000002.2830003919.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_88f96ef2-1
                      Source: DHL8900067.exe, 0000000E.00000000.2771473723.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1ec4fc9e-f
                      Source: DHL8900067.exe, 0000000E.00000000.2771473723.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3d855a57-0
                      Source: DHL8900067.exe, 0000000F.00000002.3637971020.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_39b71791-c
                      Source: DHL8900067.exe, 0000000F.00000002.3637971020.00000000009B2000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7baab29e-1
                      Source: 24sBT3Cffz.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ce95c7db-0
                      Source: 24sBT3Cffz.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_273867e0-e
                      Source: DHL8900067.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_db3f1704-0
                      Source: DHL8900067.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_18cffee7-a
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A83170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00A83170
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B1A2D7 NtdllDialogWndProc_W,0_2_00B1A2D7
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B187B2 NtdllDialogWndProc_W,CallWindowProcW,0_2_00B187B2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B18AAA NtdllDialogWndProc_W,0_2_00B18AAA
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A98BA4 NtdllDialogWndProc_W,0_2_00A98BA4
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B18B02 6FDEC580,6FDEC6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00B18B02
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B18D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,0_2_00B18D0E
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B18FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00B18FC9
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A990A7 NtdllDialogWndProc_W,0_2_00A990A7
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B190A1 SendMessageW,NtdllDialogWndProc_W,0_2_00B190A1
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A99052 NtdllDialogWndProc_W,0_2_00A99052
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B1911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00B1911E
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19380 NtdllDialogWndProc_W,0_2_00B19380
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B193CB NtdllDialogWndProc_W,0_2_00B193CB
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19400 ClientToScreen,6FDEC5D0,NtdllDialogWndProc_W,0_2_00B19400
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B1953A GetWindowLongW,NtdllDialogWndProc_W,0_2_00B1953A
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B19576
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A997C0 GetParent,NtdllDialogWndProc_W,0_2_00A997C0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E0C8D0,NtdllDialogWndProc_W,0_2_00A9997D
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_00B19EF3
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19E74 NtdllDialogWndProc_W,0_2_00B19E74
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B19F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00B19F86
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_008F3170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,12_2_008F3170
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0098A2D7 NtdllDialogWndProc_W,12_2_0098A2D7
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009887B2 NtdllDialogWndProc_W,CallWindowProcW,12_2_009887B2
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00988AAA NtdllDialogWndProc_W,12_2_00988AAA
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00908BA4 NtdllDialogWndProc_W,12_2_00908BA4
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00988B02 6FDEC580,6FDEC6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,12_2_00988B02
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00988D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,12_2_00988D0E
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00988FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,12_2_00988FC9
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009090A7 NtdllDialogWndProc_W,12_2_009090A7
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009890A1 SendMessageW,NtdllDialogWndProc_W,12_2_009890A1
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00909052 NtdllDialogWndProc_W,12_2_00909052
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0098911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,12_2_0098911E
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989380 NtdllDialogWndProc_W,12_2_00989380
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009893CB NtdllDialogWndProc_W,12_2_009893CB
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989400 ClientToScreen,6FDEC5D0,NtdllDialogWndProc_W,12_2_00989400
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0098953A GetWindowLongW,NtdllDialogWndProc_W,12_2_0098953A
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6FDECB00,6FDEC2F0,SetCapture,ClientToScreen,6FDEC530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_00989576
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009097C0 GetParent,NtdllDialogWndProc_W,12_2_009097C0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0090997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,74E0C8D0,NtdllDialogWndProc_W,12_2_0090997D
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,12_2_00989EF3
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989E74 NtdllDialogWndProc_W,12_2_00989E74
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00989F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,12_2_00989F86
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AED5EB
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74495590,74497ED0,CreateProcessAsUserW,74495030,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,74497F30,0_2_00AE1201
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AEE8F6
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_0095E8F6
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A880600_2_00A88060
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF20460_2_00AF2046
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE82980_2_00AE8298
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00ABE4FF0_2_00ABE4FF
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AB676B0_2_00AB676B
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B148730_2_00B14873
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AACAA00_2_00AACAA0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A8CAF00_2_00A8CAF0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9CC390_2_00A9CC39
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AB6DD90_2_00AB6DD9
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9D0630_2_00A9D063
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A891C00_2_00A891C0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9B1190_2_00A9B119
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA13940_2_00AA1394
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA17060_2_00AA1706
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA781B0_2_00AA781B
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA19B00_2_00AA19B0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A879200_2_00A87920
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9997D0_2_00A9997D
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA7A4A0_2_00AA7A4A
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA7CA70_2_00AA7CA7
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA1C770_2_00AA1C77
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AB9EEE0_2_00AB9EEE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B0BE440_2_00B0BE44
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA1F320_2_00AA1F32
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_021337B00_2_021337B0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0040CBE112_2_0040CBE1
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096204612_2_00962046
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_008F806012_2_008F8060
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095829812_2_00958298
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0092E4FF12_2_0092E4FF
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0092676B12_2_0092676B
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0098487312_2_00984873
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0091CAA012_2_0091CAA0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_008FCAF012_2_008FCAF0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0090CC3912_2_0090CC39
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00926DD912_2_00926DD9
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_008F91C012_2_008F91C0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0090B11912_2_0090B119
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0091139412_2_00911394
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0091170612_2_00911706
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0091781B12_2_0091781B
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009119B012_2_009119B0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_008F792012_2_008F7920
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0090997D12_2_0090997D
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00917A4A12_2_00917A4A
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00917CA712_2_00917CA7
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00911C7712_2_00911C77
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00929EEE12_2_00929EEE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0097BE4412_2_0097BE44
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00911F3212_2_00911F32
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_040237B012_2_040237B0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0419B7D012_2_0419B7D0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04193E6012_2_04193E60
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04194A7812_2_04194A78
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0419EA8812_2_0419EA88
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0419AB4812_2_0419AB48
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_041941A812_2_041941A8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D551D012_2_09D551D0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5C1B812_2_09D5C1B8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D579B812_2_09D579B8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5235812_2_09D52358
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5622012_2_09D56220
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5592012_2_09D55920
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5004012_2_09D50040
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5E3E012_2_09D5E3E0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D572D812_2_09D572D8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5AE6012_2_09D5AE60
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5003E12_2_09D5003E
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_09D5002812_2_09D50028
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 14_2_007D37B014_2_007D37B0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0040CBE115_2_0040CBE1
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_032D37B015_2_032D37B0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_03C7EA8815_2_03C7EA88
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_03C7DA9715_2_03C7DA97
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_03C74A7815_2_03C74A78
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_03C73E6015_2_03C73E60
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_03C741A815_2_03C741A8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_097451D015_2_097451D0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974C1B815_2_0974C1B8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974308815_2_09743088
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974B26015_2_0974B260
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974622015_2_09746220
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974590F15_2_0974590F
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974235015_2_09742350
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0974E3E015_2_0974E3E0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_097472D815_2_097472D8
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: String function: 00A89CB3 appears 31 times
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: String function: 00A9F9F2 appears 40 times
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: String function: 00AA0A30 appears 46 times
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: String function: 008F9CB3 appears 31 times
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: String function: 00910A30 appears 46 times
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: String function: 004075EE appears 36 times
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: String function: 00401EE0 appears 66 times
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: String function: 0090F9F2 appears 40 times
                      Source: 24sBT3Cffz.exe, 00000000.00000002.2610202417.0000000000B54000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameflexuosely.exe4 vs 24sBT3Cffz.exe
                      Source: 24sBT3Cffz.exeBinary or memory string: OriginalFilenameflexuosely.exe4 vs 24sBT3Cffz.exe
                      Source: 24sBT3Cffz.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, rgjtyRJ0.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, rgjtyRJ0.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, mNYd.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, mNYd.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, 3zL.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/12@3/3
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF37B5 GetLastError,FormatMessageW,0_2_00AF37B5
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE10BF AdjustTokenPrivileges,CloseHandle,0_2_00AE10BF
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00AE16C3
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009510BF AdjustTokenPrivileges,CloseHandle,12_2_009510BF
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_009516C3
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00AF51CD
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B0A67C
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00AF648E
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A842A2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeFile created: C:\Users\user\AppData\Local\Temp\aut9C06.tmpJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs"
                      Source: 24sBT3Cffz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 24sBT3Cffz.exeVirustotal: Detection: 65%
                      Source: 24sBT3Cffz.exeReversingLabs: Detection: 63%
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeFile read: C:\Users\user\Desktop\24sBT3Cffz.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\24sBT3Cffz.exe "C:\Users\user\Desktop\24sBT3Cffz.exe"
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\Desktop\24sBT3Cffz.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\AppData\Local\directory\DHL8900067.exe"
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\AppData\Local\directory\DHL8900067.exe"
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\Desktop\24sBT3Cffz.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\AppData\Local\directory\DHL8900067.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\AppData\Local\directory\DHL8900067.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: 24sBT3Cffz.exeStatic file information: File size 1285632 > 1048576

                      Data Obfuscation

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeUnpacked PE file: 12.2.DHL8900067.exe.4360000.6.unpack
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA0A76 push ecx; ret 0_2_00AA0A89
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0040D2F1 push ecx; ret 12_2_0040D304
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00910A76 push ecx; ret 12_2_00910A89
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_0040D2F1 push ecx; ret 15_2_0040D304
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeFile created: C:\Users\user\AppData\Local\directory\DHL8900067.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbsJump to dropped file
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbsJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DHL8900067.vbsJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A9F98E
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B11C41
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0090F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_0090F98E
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00981C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_00981C41
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Found API chain indicative of sandbox detection
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97824
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: DHL8900067.exe, DHL8900067.exe, 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640774673.0000000004334000.00000004.00000800.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 4190000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 4820000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 4240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 3B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 42D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: 3B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599452Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599343Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599234Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599111Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598984Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598858Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598749Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598640Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598531Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598421Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598312Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598203Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598093Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597981Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597765Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597656Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597546Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597437Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597328Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597218Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597109Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596890Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596781Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596671Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596562Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596452Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596343Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596230Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596125Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596015Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595906Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595796Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595687Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595577Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595468Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595359Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595250Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595139Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595031Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594844Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594718Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594604Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594482Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594369Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599782Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599657Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599532Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599422Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599310Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599063Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598938Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598813Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598704Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598594Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598454Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598329Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598219Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598094Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597391Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597266Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597157Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597032Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596907Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596797Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596688Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596563Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596438Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596313Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596188Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596079Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595947Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595718Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595545Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595435Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595320Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595219Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595094Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594985Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594860Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594735Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594610Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594485Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594360Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594235Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594110Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWindow / User API: threadDelayed 7501Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWindow / User API: threadDelayed 2316Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWindow / User API: threadDelayed 7649Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWindow / User API: threadDelayed 2178Jump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeAPI coverage: 3.7 %
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeAPI coverage: 4.1 %
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep count: 33 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 2888Thread sleep count: 7501 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 2888Thread sleep count: 2316 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599452s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -599111s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598984s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598858s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598749s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598640s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598531s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598421s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598312s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598203s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -598093s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597981s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597546s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597328s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597109s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -597000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596671s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596452s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596230s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -596015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595906s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595796s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595687s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595577s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595468s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595359s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595250s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595139s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -595031s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -594844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -594718s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -594604s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -594482s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 4768Thread sleep time: -594369s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep count: 31 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3884Thread sleep count: 7649 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3884Thread sleep count: 2178 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599782s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599657s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599532s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599422s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599310s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -599063s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598938s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598813s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598704s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598594s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598454s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598329s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -598094s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597625s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597266s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597157s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -597032s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596907s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596797s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596688s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596563s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596438s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -596079s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595947s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595843s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595718s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595545s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595435s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595320s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -595094s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exe TID: 3892Thread sleep time: -594110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AEDBBE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00ABC2A2 FindFirstFileExW,0_2_00ABC2A2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF68EE FindFirstFileW,FindClose,0_2_00AF68EE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00AF698F
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED076
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00AED3A9
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF9642
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AF979D
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00AF9B2B
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00AF5C97
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00406725 FindFirstFileExW,12_2_00406725
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,12_2_0095DBBE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0092C2A2 FindFirstFileExW,12_2_0092C2A2
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009668EE FindFirstFileW,FindClose,12_2_009668EE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,12_2_0096698F
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0095D076
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0095D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0095D3A9
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00969642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00969642
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0096979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0096979D
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00969B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_00969B2B
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00965C97 FindFirstFileW,FindNextFileW,FindClose,12_2_00965C97
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_00406725 FindFirstFileExW,15_2_00406725
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599890Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599781Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599671Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599562Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599452Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599343Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599234Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599111Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598984Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598858Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598749Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598640Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598531Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598421Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598312Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598203Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598093Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597981Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597765Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597656Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597546Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597437Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597328Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597218Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597109Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596890Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596781Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596671Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596562Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596452Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596343Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596230Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596125Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596015Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595906Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595796Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595687Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595577Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595468Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595359Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595250Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595139Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595031Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594844Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594718Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594604Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594482Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594369Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599782Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599657Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599532Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599422Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599310Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 599063Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598938Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598813Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598704Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598594Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598454Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598329Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598219Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 598094Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597985Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597875Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597766Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597391Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597266Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597157Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 597032Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596907Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596797Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596688Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596563Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596438Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596313Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596188Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 596079Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595947Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595843Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595718Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595545Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595435Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595320Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595219Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 595094Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594985Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594860Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594735Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594610Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594485Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594360Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594235Jump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeThread delayed: delay time: 594110Jump to behavior
                      Source: DHL8900067.exe, 0000000F.00000002.3640774673.0000000004334000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: wscript.exe, 0000000D.00000002.2772105276.0000024216AB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: DHL8900067.exe, 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                      Source: DHL8900067.exe, 0000000C.00000002.2832056046.0000000003DCB000.00000004.00000020.00020000.00000000.sdmp, DHL8900067.exe, 0000000F.00000002.3639465135.000000000382D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04197E80 CheckRemoteDebuggerPresent,12_2_04197E80
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AFEAA2 BlockInput,0_2_00AFEAA2
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB2622
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA4CE8 mov eax, dword ptr fs:[00000030h]0_2_00AA4CE8
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_02133640 mov eax, dword ptr fs:[00000030h]0_2_02133640
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_021336A0 mov eax, dword ptr fs:[00000030h]0_2_021336A0
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_02131EEE mov eax, dword ptr fs:[00000030h]0_2_02131EEE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_02131F00 mov eax, dword ptr fs:[00000030h]0_2_02131F00
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00914CE8 mov eax, dword ptr fs:[00000030h]12_2_00914CE8
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04023640 mov eax, dword ptr fs:[00000030h]12_2_04023640
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_040236A0 mov eax, dword ptr fs:[00000030h]12_2_040236A0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04021EEE mov eax, dword ptr fs:[00000030h]12_2_04021EEE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_04021F00 mov eax, dword ptr fs:[00000030h]12_2_04021F00
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 14_2_007D1EEE mov eax, dword ptr fs:[00000030h]14_2_007D1EEE
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 14_2_007D3640 mov eax, dword ptr fs:[00000030h]14_2_007D3640
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 14_2_007D36A0 mov eax, dword ptr fs:[00000030h]14_2_007D36A0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 14_2_007D1F00 mov eax, dword ptr fs:[00000030h]14_2_007D1F00
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_032D1F00 mov eax, dword ptr fs:[00000030h]15_2_032D1F00
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_032D3640 mov eax, dword ptr fs:[00000030h]15_2_032D3640
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_032D36A0 mov eax, dword ptr fs:[00000030h]15_2_032D36A0
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_032D1EEE mov eax, dword ptr fs:[00000030h]15_2_032D1EEE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AE0B62
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AB2622
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA083F
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA09D5 SetUnhandledExceptionFilter,0_2_00AA09D5
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AA0C21
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00401C83
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_004060B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004060B4
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00401E16 SetUnhandledExceptionFilter,12_2_00401E16
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00401F2A
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00922622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00922622
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_0091083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0091083F
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_009109D5 SetUnhandledExceptionFilter,12_2_009109D5
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00910C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00910C21
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00401C83
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_004060B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_004060B4
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_00401E16 SetUnhandledExceptionFilter,15_2_00401E16
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 15_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00401F2A
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74495590,74497ED0,CreateProcessAsUserW,74495030,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,74497F30,0_2_00AE1201
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AC2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AC2BA5
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AEB226 SendInput,keybd_event,0_2_00AEB226
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00B022DA
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\DHL8900067.exe "C:\Users\user\AppData\Local\directory\DHL8900067.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00AE0B62
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AE1663
                      Source: 24sBT3Cffz.exe, DHL8900067.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                      Source: 24sBT3Cffz.exe, DHL8900067.exeBinary or memory string: Shell_TrayWnd
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AA0698 cpuid 0_2_00AA0698
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00AF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00AF8195
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00ADD27A GetUserNameW,0_2_00ADD27A
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00ABB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00ABB952
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00A842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A842DE
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.000000000435D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833613709.0000000005821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.0000000004334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.00000000048AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832801262.0000000004362000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832146638.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.00000000048B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 2140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 1948, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833613709.0000000005821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832801262.0000000004362000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832146638.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 2140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 1948, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: DHL8900067.exeBinary or memory string: WIN_81
                      Source: DHL8900067.exeBinary or memory string: WIN_XP
                      Source: DHL8900067.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                      Source: DHL8900067.exeBinary or memory string: WIN_XPe
                      Source: DHL8900067.exeBinary or memory string: WIN_VISTA
                      Source: DHL8900067.exeBinary or memory string: WIN_7
                      Source: DHL8900067.exeBinary or memory string: WIN_8
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833613709.0000000005821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.0000000004334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832801262.0000000004362000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832146638.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 2140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 1948, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.0000000004883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.000000000435D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833613709.0000000005821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.0000000004334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.00000000048AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640774673.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832801262.0000000004362000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832146638.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833119001.00000000048B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 2140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 1948, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.417058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3913658.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a53658.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4320000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4360000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d10000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4030000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.417058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.DHL8900067.exe.3900000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3d50000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.DHL8900067.exe.3a40000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.DHL8900067.exe.4043658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.3641301317.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639705406.0000000003A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640304755.0000000003D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2803728167.0000000003900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2833613709.0000000005821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832772460.0000000004320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3640335348.0000000003D52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832196987.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832801262.0000000004362000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2829706410.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2832146638.0000000003EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3639232868.0000000001244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.3637238131.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 7580, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 2140, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DHL8900067.exe PID: 1948, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00B01204
                      Source: C:\Users\user\Desktop\24sBT3Cffz.exeCode function: 0_2_00B01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B01806
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00971204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,12_2_00971204
                      Source: C:\Users\user\AppData\Local\directory\DHL8900067.exeCode function: 12_2_00971806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,12_2_00971806

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		2
                      Valid Accounts                      		231
                      Windows Management Instrumentation                      		111
                      Scripting                      		1
                      Exploitation for Privilege Escalation                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		121
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		2
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt2
                      Valid Accounts                      		2
                      Valid Accounts                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		2
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		21
                      Access Token Manipulation                      		1
                      Software Packing                      		NTDS48
                      System Information Discovery                      		Distributed Component Object Model121
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                      Process Injection                      		1
                      DLL Side-Loading                      		LSA Secrets651
                      Security Software Discovery                      		SSH3
                      Clipboard Data                      		14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                      Registry Run Keys / Startup Folder                      		1
                      Masquerading                      		Cached Domain Credentials361
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Valid Accounts                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job361
                      Virtualization/Sandbox Evasion                      		Proc Filesystem11
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                      Process Injection                      		Network Sniffing1
                      System Network Configuration Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639743 Sample: 24sBT3Cffz.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 28 api.telegram.org 2->28 30 ip-api.com 2->30 32 api.ipify.org 2->32 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 11 other signatures 2->58 8 24sBT3Cffz.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 28->56 process4 file5 24 C:\Users\user\AppData\...\DHL8900067.exe, PE32 8->24 dropped 68 Binary is likely a compiled AutoIt script file 8->68 70 Found API chain indicative of sandbox detection 8->70 14 DHL8900067.exe 15 5 8->14         started        72 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->72 19 DHL8900067.exe 2 12->19         started        signatures6 process7 dnsIp8 34 ip-api.com 208.95.112.1, 49725, 49728, 80 TUT-ASUS United States 14->34 36 api.telegram.org 149.154.167.220, 443, 49726, 49729 TELEGRAMRU United Kingdom 14->36 38 api.ipify.org 104.26.13.205, 443, 49724, 49727 CLOUDFLARENETUS United States 14->38 26 C:\Users\user\AppData\...\DHL8900067.vbs, data 14->26 dropped 40 Detected unpacking (creates a PE file in dynamic memory) 14->40 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->42 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->44 48 5 other signatures 14->48 46 Binary is likely a compiled AutoIt script file 19->46 21 DHL8900067.exe 4 19->21         started        file9 signatures10 process11 signatures12 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->60 62 Binary is likely a compiled AutoIt script file 21->62 64 Tries to steal Mail credentials (via file / registry access) 21->64 66 2 other signatures 21->66

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.