Analysis Report DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe

Overview

General Information

Sample Name: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Analysis ID: 383976
MD5: edae8c184a250cccba45c023e805e12d
SHA1: 6042a0f078faad9525f052a561120d1e2551160f
SHA256: 0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
Tags: AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sammorris@askoblue.comP)RTDOg8mail.privateemail.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Virustotal: Detection: 28% Perma Link
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe ReversingLabs: Detection: 37%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Files.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06C68448
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06C64500
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_06C644FB
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_06C68446
Source: Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325634684.0000000002A13000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmp String found in binary or memory: http://dual-a-0001.a-msedge.net
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.232439693.00000000070D3000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305089826.00000000070D2000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303110487.00000000067F6000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Files.exe, 00000015.00000002.322781369.0000000000A9C000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.m
Source: Files.exe, 0000000D.00000002.306843617.00000000025F9000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325646667.0000000002A17000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329537552.000000000314B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297284689.0000000002D6E000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325378597.00000000029FC000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329505639.0000000003135000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329441226.0000000003118000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: Files.exe, 0000000D.00000002.306747199.00000000025C6000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325347261.00000000029DF000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.328565365.00000000013D1000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.329046892.0000000002DF7000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.297204343.0000000002D41000.00000004.00000001.sdmp, Files.exe, 0000000D.00000002.306692734.0000000002591000.00000004.00000001.sdmp, Files.exe, 00000015.00000002.325792650.0000000002AD1000.00000004.00000001.sdmp, Files.exe, 00000016.00000002.329364718.00000000030E1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
.NET source code contains very large array initializations
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: Files.exe.0.dr, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.0.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.9a0000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 13.2.Files.exe.120000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 13.0.Files.exe.120000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 21.0.Files.exe.3c0000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 21.2.Files.exe.3c0000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 22.2.Files.exe.c30000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Source: 22.0.Files.exe.c30000.0.unpack, Bs5w/z4R1.cs Large array initialization: .cctor: array initializer size 2488
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_0133D7F0 0_2_0133D7F0
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_0133E4D8 0_2_0133E4D8
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C66423 0_2_06C66423
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C66428 0_2_06C66428
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65246 0_2_06C65246
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65248 0_2_06C65248
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00A4D7F0 13_2_00A4D7F0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00A4BD18 13_2_00A4BD18
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 21_2_00BED458 21_2_00BED458
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 21_2_00BED7F0 21_2_00BED7F0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 21_2_00BEE4D8 21_2_00BEE4D8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 22_2_0161D7F0 22_2_0161D7F0
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 22_2_0161BD18 22_2_0161BD18
Sample file is different than original file name gathered from version info
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamegJXtAEencRYFIZTxBNckJHYqrAmfI.exe4 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.305503971.0000000007750000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.295875557.0000000000A6E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInstallUtil.exeT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.299399775.0000000003D47000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmp Binary or memory string: originalfilename vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.304498768.0000000006C90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303468804.00000000068F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Binary or memory string: OriginalFilenameBDHL.exeD vs DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Uses 32bit PE files
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: classification engine Classification label: mal92.troj.evad.winEXE@10/5@0/1
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_01
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Virustotal: Detection: 28%
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File read: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 'C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe'
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000003.274495104.0000000006863000.00000004.00000001.sdmp, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6890 push ds; retf 0_2_009A68B5
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6FDE push eax; retf 0_2_009A6FF2
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A70D5 push ecx; retf 0_2_009A70E8
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A7EFC push cs; retf 0_2_009A7F0B
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A90FC push ds; retf 0_2_009A910B
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6D33 push ebx; retf 0_2_009A6D46
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6F2F push ebp; retf 0_2_009A6F56
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A7023 push edx; retf 0_2_009A704F
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6E51 push esi; retf 0_2_009A6E64
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6F57 push ebp; retf 0_2_009A6F6A
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_009A6E65 push esp; retf 0_2_009A6E75
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65E58 push esp; ret 0_2_06C65E5A
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65E00 push esp; ret 0_2_06C65E02
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65FF1 push edi; ret 0_2_06C65FF2
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65FF9 push esi; ret 0_2_06C65FFA
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65C88 push edx; ret 0_2_06C65C8A
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65DA9 push ebx; ret 0_2_06C65DAA
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65D7B push ebx; ret 0_2_06C65D82
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65D78 push ebx; ret 0_2_06C65D7A
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65D1B push edx; ret 0_2_06C65D22
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Code function: 0_2_06C65AD9 push ecx; ret 0_2_06C65ADA
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126D33 push ebx; retf 13_2_00126D46
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00127023 push edx; retf 13_2_0012704F
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126F2F push ebp; retf 13_2_00126F56
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126E51 push esi; retf 13_2_00126E64
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126F57 push ebp; retf 13_2_00126F6A
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126E65 push esp; retf 13_2_00126E75
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126890 push ds; retf 13_2_001268B5
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_001270D5 push ecx; retf 13_2_001270E8
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00126FDE push eax; retf 13_2_00126FF2
Source: C:\Users\user\AppData\Roaming\Files.exe Code function: 13_2_00127EFC push cs; retf 13_2_00127F0B

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Roaming\Files.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Files Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Window / User API: threadDelayed 3079 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Window / User API: threadDelayed 6522 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4580 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752 Thread sleep count: 3079 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 5752 Thread sleep count: 6522 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 1832 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe TID: 4144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6340 Thread sleep count: 149 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 4720 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 5528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6488 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6524 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6372 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6632 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe TID: 6452 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Files.exe, 00000016.00000002.328296751.0000000001364000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.303280982.0000000006862000.00000004.00000001.sdmp Binary or memory string: VMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe, 00000000.00000002.302369445.0000000005E00000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.252198044.0000000002C20000.00000002.00000001.sdmp, Files.exe, 0000000D.00000002.309501538.00000000055B0000.00000002.00000001.sdmp, Files.exe, 00000015.00000002.330474287.0000000005960000.00000002.00000001.sdmp, Files.exe, 00000016.00000002.333829232.0000000006050000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Process created: C:\Users\user\AppData\Roaming\Files.exe 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'Files' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\Files.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Users\user\AppData\Roaming\Files.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Files.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.299807783.0000000003E66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.300534811.000000000402B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.299471132.0000000003DB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe PID: 5716, type: MEMORY
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f76782.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3db76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3ec0f92.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.3f1bb92.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe.402bf42.6.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383976 Sample: DHL_Express_Shipment_Invoic... Startdate: 08/04/2021 Architecture: WINDOWS Score: 92 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected AgentTesla 2->38 40 3 other signatures 2->40 7 DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe 15 7 2->7         started        11 Files.exe 14 3 2->11         started        13 Files.exe 2 2->13         started        process3 dnsIp4 24 C:\Users\user\AppData\Roaming\Files.exe, PE32 7->24 dropped 26 C:\Users\user\...\Files.exe:Zone.Identifier, ASCII 7->26 dropped 28 DHL_Express_Shipme...4700456XXXX.exe.log, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->42 16 cmd.exe 1 7->16         started        18 Files.exe 2 7->18         started        44 Multi AV Scanner detection for dropped file 11->44 46 Machine Learning detection for dropped file 11->46 32 192.168.2.1 unknown unknown 13->32 file5 signatures6 process7 process8 20 conhost.exe 16->20         started        22 reg.exe 1 1 16->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1