Analysis Report DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe

Overview

General Information

Sample Name: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Analysis ID: 383910
MD5: 56796a808359f3eacd3dfae75e530c7f
SHA1: 2a640c1ceda881fc552148022fa5cd69df349884
SHA256: 966f5fda32ac9ad436cdeb47d024fb831705d8e14fa83ee74a48483260871ec2
Tags: AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.438eaca.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aammorris@askoblue.comhbqtHu^3smtp.privateemail.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe ReversingLabs: Detection: 20%
Multi AV Scanner detection for submitted file
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Virustotal: Detection: 35% Perma Link
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe ReversingLabs: Detection: 20%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0552B120
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0552AD84
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_0552B840
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0552B840
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then jmp 05526081h 0_2_05525808
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then jmp 05526081h 0_2_055257FB
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0552B35C
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0552DE04
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_0552D800
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_0552B834
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0552B834
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0552BB54
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0552BB54
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0552BB60
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0552BB60
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then xor edx, edx 0_2_0552BA98
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then xor edx, edx 0_2_0552BA8D
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06DB47D0
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06DB8318
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06DB47B1
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06DB830B
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_056EB120
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then jmp 056E6081h 14_2_056E57FB
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_056EB35C
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_056EAD84
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_056EDE04
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then push dword ptr [ebp-20h] 14_2_056EB840
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_056EB840
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then push dword ptr [ebp-20h] 14_2_056EB834
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_056EB834
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then jmp 056E6081h 14_2_056E5808
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_056ED800
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then push dword ptr [ebp-24h] 14_2_056EBB60
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_056EBB60
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then push dword ptr [ebp-24h] 14_2_056EBB54
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 14_2_056EBB54
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then xor edx, edx 14_2_056EBA8D
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then xor edx, edx 14_2_056EBA98
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 14_2_06EE4900
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 14_2_06EE48FD

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.0.0.0 80.0.0.0
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/)R
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/1.0/
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416909689.000000000136D000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.603869218.00000000014F3000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://crl.mu
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416909689.000000000136D000.00000004.00000020.sdmp, Files.exe, 0000000A.00000002.429538750.0000000006600000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Files.exe, 0000000A.00000002.426445514.0000000002E59000.00000004.00000001.sdmp String found in binary or memory: http://dual-a-0001.a-msedge.net
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/Lu_RL
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/zu
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: Files.exe, 0000000E.00000003.443115256.00000000074A3000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.425822118.000000000724B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.469317818.00000000074A3000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000003.354223291.000000000723A000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/11
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000003.354223291.000000000723A000.00000004.00000001.sdmp, DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.425822118.000000000724B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.469317818.00000000074A3000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.425786361.000000000723B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000003.354223291.000000000723A000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g1
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000003.366225487.000000000721C000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g8
Source: Files.exe, 0000000E.00000003.469317818.00000000074A3000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416909689.000000000136D000.00000004.00000020.sdmp, Files.exe, 0000000A.00000002.429538750.0000000006600000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416909689.000000000136D000.00000004.00000020.sdmp, Files.exe, 0000000A.00000002.429538750.0000000006600000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Files.exe, 0000000E.00000002.605804441.00000000030AE000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.605886421.00000000030C4000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.417319845.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000A.00000002.425647475.0000000002C41000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.605716042.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#GufRM
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#QupRO
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#hu
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: Files.exe, 0000000A.00000002.426190356.0000000002E26000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/D
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/N
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000014.00000002.611035366.0000000008270000.00000002.00000001.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/B
Source: AcroRd32.exe, 00000014.00000002.649710805.000000000E123000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000014.00000002.649710805.000000000E123000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/&x
Source: AcroRd32.exe, 00000014.00000002.649710805.000000000E123000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/pxYP
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/YO
Source: AcroRd32.exe, 00000014.00000002.650509786.000000000E418000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000014.00000002.650509786.000000000E418000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.comRL(
Source: AcroRd32.exe, 00000014.00000002.619503674.0000000009487000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000014.00000003.503961105.000000000B995000.00000004.00000001.sdmp, AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: https://mybill.dhl.com/
Source: AcroRd32.exe, 00000014.00000003.515935868.000000000BAF4000.00000004.00000001.sdmp String found in binary or memory: https://mybill.dhl.com/DwgP
Source: AcroRd32.exe, 00000014.00000002.649611201.000000000E0B7000.00000004.00000001.sdmp String found in binary or memory: https://mybill.dhl.com/P
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp, Files.exe, 0000000A.00000003.411483153.000000000100B000.00000004.00000001.sdmp, Files.exe, 0000000E.00000003.465280195.000000000155B000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.417319845.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000A.00000002.425647475.0000000002C41000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.605716042.0000000003081000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.417319845.00000000030A1000.00000004.00000001.sdmp, Files.exe, 0000000A.00000002.425647475.0000000002C41000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.605716042.0000000003081000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: Files.exe, 0000000A.00000002.425647475.0000000002C41000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com4(lx
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.420461900.000000000411A000.00000004.00000001.sdmp, Files.exe, 0000000E.00000002.618305567.000000000436D000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416745491.00000000012BB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
.NET source code contains very large array initializations
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: Files.exe.0.dr, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.af0000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.0.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.af0000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 10.2.Files.exe.780000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 10.0.Files.exe.780000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 14.2.Files.exe.d30000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Source: 14.0.Files.exe.d30000.0.unpack, Qw1/g1H.cs Large array initialization: .cctor: array initializer size 2488
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE7CFC CreateProcessAsUserW, 14_2_06EE7CFC
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_05520160 0_2_05520160
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_05524088 0_2_05524088
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_05525808 0_2_05525808
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_055264B0 0_2_055264B0
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_055264A0 0_2_055264A0
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_055276E8 0_2_055276E8
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_05524078 0_2_05524078
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_0552C318 0_2_0552C318
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_0552C308 0_2_0552C308
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_0552C8C8 0_2_0552C8C8
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_0552C8BB 0_2_0552C8BB
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_06DB62F8 0_2_06DB62F8
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_06DB62E7 0_2_06DB62E7
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_06DB5118 0_2_06DB5118
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_06DB5108 0_2_06DB5108
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_02A6B3E0 10_2_02A6B3E0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_02A6DD30 10_2_02A6DD30
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_05110160 10_2_05110160
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_05114078 10_2_05114078
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_05114088 10_2_05114088
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_0306B3E0 14_2_0306B3E0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_0306DD30 14_2_0306DD30
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_03069BB8 14_2_03069BB8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_0306FCA0 14_2_0306FCA0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E64A0 14_2_056E64A0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E64B0 14_2_056E64B0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E0160 14_2_056E0160
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E4078 14_2_056E4078
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E4088 14_2_056E4088
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056EC308 14_2_056EC308
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056EC318 14_2_056EC318
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E5808 14_2_056E5808
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056EC8C8 14_2_056EC8C8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056EC8BB 14_2_056EC8BB
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE9E49 14_2_06EE9E49
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE7368 14_2_06EE7368
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE8B20 14_2_06EE8B20
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EEE068 14_2_06EEE068
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE8028 14_2_06EE8028
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EEC038 14_2_06EEC038
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EEB908 14_2_06EEB908
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EEF6F9 14_2_06EEF6F9
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED6F0 14_2_06EED6F0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE9E54 14_2_06EE9E54
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED72A 14_2_06EED72A
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED738 14_2_06EED738
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE4C08 14_2_06EE4C08
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE4C01 14_2_06EE4C01
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE4C10 14_2_06EE4C10
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EEEAF8 14_2_06EEEAF8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED2C0 14_2_06EED2C0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED2B8 14_2_06EED2B8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EED2B2 14_2_06EED2B2
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE7364 14_2_06EE7364
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE7359 14_2_06EE7359
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE8B2C 14_2_06EE8B2C
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_06EE8B28 14_2_06EE8B28
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 21_2_008E20B0 21_2_008E20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 21_2_00F946A0 21_2_00F946A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 21_2_00F94690 21_2_00F94690
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 21_2_00F9D2E1 21_2_00F9D2E1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Sample file is different than original file name gathered from version info
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416745491.00000000012BB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.426017066.00000000078B0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.420404913.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.415989680.0000000000BBE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameADEHL.exeP vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.422316226.0000000005F50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.424636736.0000000006A80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.420461900.000000000411A000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamehCnYoxwadYHoTJqQhthGLP.exe4 vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.425293031.0000000006DE0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.425293031.0000000006DE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: policymanager.dll Jump to behavior
Uses 32bit PE files
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: classification engine Classification label: mal100.troj.evad.winEXE@25/53@0/2
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Virustotal: Detection: 35%
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File read: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF'
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7717275198719545956 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7717275198719545956 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=14898531479645788559 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9725964129438127640 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9725964129438127640 --renderer-client-id=4 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2964269592299071020 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2964269592299071020 --renderer-client-id=5 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF' Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=7717275198719545956 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7717275198719545956 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=14898531479645788559 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9725964129438127640 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9725964129438127640 --renderer-client-id=4 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,2401863177927084696,18206753643728564179,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2964269592299071020 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2964269592299071020 --renderer-client-id=5 --mojo-platform-channel-handle=2148 --allow-no-sandbox-job /prefetch:1
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File opened: C:\Windows\SysWOW64\Msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Code function: 0_2_06DB706B push ecx; iretd 0_2_06DB70DC
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 10_2_05113478 pushfd ; iretd 10_2_051134A1
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E3478 pushfd ; iretd 14_2_056E34A1
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E4D47 push esp; retf 14_2_056E4D51
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 14_2_056E4D52 pushad ; retf 14_2_056E4D61

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe File opened: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File opened: C:\Users\user\AppData\Roaming\Files.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\Files.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Window / User API: threadDelayed 9067 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Window / User API: threadDelayed 480 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Window / User API: threadDelayed 1404 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Window / User API: threadDelayed 6252 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 736
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 9102
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe TID: 6680 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe TID: 6732 Thread sleep count: 9067 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe TID: 6732 Thread sleep count: 480 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe TID: 6640 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe TID: 6592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6460 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6460 Thread sleep count: 177 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5100 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5044 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 2940 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 2436 Thread sleep count: 1404 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 2436 Thread sleep count: 6252 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 1256 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 1256 Thread sleep time: -57000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4688 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3016 Thread sleep count: 736 > 30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 3016 Thread sleep count: 9102 > 30
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Files.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Files.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.422316226.0000000005F50000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.371128133.00000000033A0000.00000002.00000001.sdmp, Files.exe, 0000000A.00000002.429199290.0000000005C10000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.622468970.0000000006100000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416838689.000000000132D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: AcroRd32.exe, 00000014.00000002.650086529.000000000E20F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!3
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.422316226.0000000005F50000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.371128133.00000000033A0000.00000002.00000001.sdmp, Files.exe, 0000000A.00000002.429199290.0000000005C10000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.622468970.0000000006100000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.422316226.0000000005F50000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.371128133.00000000033A0000.00000002.00000001.sdmp, Files.exe, 0000000A.00000002.429199290.0000000005C10000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.622468970.0000000006100000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Files.exe, 0000000E.00000002.604314807.000000000155B000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.416790426.00000000012EC000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy
Source: Files.exe, 0000000A.00000002.424545436.0000000000FF8000.00000004.00000020.sdmp, Files.exe, 0000000E.00000003.465230499.0000000001535000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe, 00000000.00000002.422316226.0000000005F50000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.371128133.00000000033A0000.00000002.00000001.sdmp, Files.exe, 0000000A.00000002.429199290.0000000005C10000.00000002.00000001.sdmp, Files.exe, 0000000E.00000002.622468970.0000000006100000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Code function: 20_2_00F511D0 LdrInitializeThunk, 20_2_00F511D0
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Files.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: B74008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\DHL Overdue Account Notice - 1301356423.PDF' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: Files.exe, 0000000E.00000002.605046972.0000000001A90000.00000002.00000001.sdmp, AcroRd32.exe, 00000014.00000002.606075266.0000000005F60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Files.exe, 0000000E.00000002.605046972.0000000001A90000.00000002.00000001.sdmp, AcroRd32.exe, 00000014.00000002.606075266.0000000005F60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Files.exe, 0000000E.00000002.605046972.0000000001A90000.00000002.00000001.sdmp, AcroRd32.exe, 00000014.00000002.606075266.0000000005F60000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Files.exe, 0000000E.00000002.605046972.0000000001A90000.00000002.00000001.sdmp, AcroRd32.exe, 00000014.00000002.606075266.0000000005F60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000015.00000002.604942356.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.618305567.000000000436D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.617790683.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.593141973.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420461900.000000000411A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420573412.00000000041C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.617678751.00000000040F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420839951.000000000438E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Files.exe PID: 6484, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe PID: 6572, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.42d930a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.436d5fa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.42b7e3a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.40f8d58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.411a228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.40f8d58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.438eaca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.438eaca.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.42d930a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.436d5fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.425d24a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.425d24a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.42b7e3a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.411a228.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.4223b1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.427e71a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.420264a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.4223b1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.420264a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.427e71a.5.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000015.00000002.604942356.0000000002D01000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000015.00000002.604942356.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.618305567.000000000436D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.617790683.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.593141973.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420461900.000000000411A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420573412.00000000041C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.617678751.00000000040F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.420839951.000000000438E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Files.exe PID: 6484, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe PID: 6572, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.42d930a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.436d5fa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.42b7e3a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.40f8d58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.411a228.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.40f8d58.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.438eaca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.438eaca.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.42d930a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.436d5fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.425d24a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.425d24a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.42b7e3a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.411a228.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.4223b1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.427e71a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.420264a.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.4223b1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Files.exe.420264a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe.427e71a.5.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383910 Sample: DHL_Express_Shipments_Invoi... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected AgentTesla 2->67 69 3 other signatures 2->69 9 DHL_Express_Shipments_Invoice_Confirmation_CBJ190517000131_74700456XXX.exe 15 7 2->9         started        13 Files.exe 14 3 2->13         started        process3 file4 43 C:\Users\user\AppData\Roaming\Files.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\...\InstallUtil.exe, PE32 9->45 dropped 47 C:\Users\user\...\Files.exe:Zone.Identifier, ASCII 9->47 dropped 49 DHL_Express_Shipme...74700456XXX.exe.log, ASCII 9->49 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->75 15 Files.exe 3 4 9->15         started        19 cmd.exe 1 9->19         started        77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 signatures5 process6 dnsIp7 53 192.168.2.1 unknown unknown 15->53 55 Writes to foreign memory regions 15->55 57 Allocates memory in foreign processes 15->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->59 61 Injects a PE file into a foreign processes 15->61 21 InstallUtil.exe 15->21         started        24 AcroRd32.exe 39 15->24         started        26 conhost.exe 19->26         started        28 reg.exe 1 1 19->28         started        signatures8 process9 signatures10 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->73 30 RdrCEF.exe 24->30         started        32 AcroRd32.exe 24->32         started        process11 process12 34 RdrCEF.exe 30->34         started        37 RdrCEF.exe 30->37         started        39 RdrCEF.exe 30->39         started        41 RdrCEF.exe 30->41         started        dnsIp13 51 80.0.0.0 NTLGB United Kingdom 34->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.0.0.0
 unknown United Kingdom
5089 NTLGB false

Private
IP
192.168.2.1