Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: explorer.exe, 0000000F.00000002.5701480202.000000000D849000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.980284348.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.929431409.000000000D267000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys% |
Source: explorer.exe, 0000000F.00000002.5703883842.000000000DA1B000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl |
Source: explorer.exe, 0000000F.00000000.987919975.000000000DA15000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935114993.000000000D8EB000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.msocsp.com0 |
Source: explorer.exe, 0000000F.00000000.976658395.0000000009B50000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.926660869.000000000A7E0000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.914833980.0000000002FA0000.00000002.00020000.sdmp | String found in binary or memory: http://schemas.micro |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: http://www.foreca.com |
Source: images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322042045.00000000018AA000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330432531.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en |
Source: explorer.exe, 0000000F.00000000.972782863.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.922114611.00000000094E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5684842071.000000000950F000.00000004.00000001.sdmp | String found in binary or memory: https://aka.ms/odirm |
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com/ |
Source: explorer.exe, 0000000F.00000000.936033459.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987676176.000000000D9E2000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703429729.000000000D9C6000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com/g |
Source: explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: explorer.exe, 0000000F.00000000.987052343.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5702840793.000000000D954000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935402531.000000000D954000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows? |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o |
Source: explorer.exe, 0000000F.00000000.981394432.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5696107995.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.930505618.000000000D366000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
Source: explorer.exe, 0000000F.00000000.924171358.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.974913981.00000000096F1000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5687107200.00000000096F1000.00000004.00000001.sdmp | String found in binary or memory: https://arc.msn.comr9 |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg |
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentSignerHttp/external |
Source: DHL Express shipment notification.exe, 0000000E.00000003.883756039.00000000019C0000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: images.exe, 0000001D.00000003.1347566980.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330037634.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1330644774.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1324727893.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/ |
Source: images.exe, 0000001D.00000003.1319610421.00000000018CC000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319522456.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/#9 |
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp | String found in binary or memory: https://doc-0c-74-docs.googleusercontent.com/docs/securesc/sk5nfb6a71bsi4kb0hoi93t8ubc457n9/ga5uidum |
Source: DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/ |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp | String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/%%doc-10-6k-docs.googleusercontent.com |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021086684.00000000019B3000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1016795564.00000000019C8000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.908533186.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.906400383.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/XM |
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-6k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/4tipe549 |
Source: images.exe, 0000001D.00000003.1322260099.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: https://docs.google.com/nonceSigner?nonce=g9j0jkqh8v4q0&continue=https://doc-0c-74-docs.googleuserco |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/ |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/( |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907055660.00000000019B5000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.889117019.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.1017950200.00000000019AF000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1319155613.00000000018B1000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g4 |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g8D |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020887639.0000000001988000.00000004.00000020.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9gX |
Source: DHL Express shipment notification.exe, 0000000E.00000003.884180959.00000000019B5000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9geJYQtWVvXHi4Ubp9Y |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp, images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://windows.msn.com:443/shell |
Source: DHL Express shipment notification.exe, images.exe.14.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/ |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin |
Source: explorer.exe, 0000000F.00000000.971659582.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5683269966.00000000093E0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.920969135.00000000093E0000.00000004.00000001.sdmp | String found in binary or memory: https://www.msn.com:443/en-us/feed |
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 29.3.images.exe.18d2b78.4.raw.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 14.3.DHL Express shipment notification.exe.1a02148.0.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.raw.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 14.3.DHL Express shipment notification.exe.1a02148.4.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907384773.0000000001A02000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907015214.00000000019AE000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: DHL Express shipment notification.exe, 0000000E.00000003.907561845.0000000001A08000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: images.exe, 0000001D.00000003.1348162067.00000000018CB000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: images.exe, 0000001D.00000003.1348433470.00000000018D9000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: images.exe, 0000001D.00000003.1347991515.00000000018AC000.00000004.00000001.sdmp | String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: vmicshutdown |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1wMeKQgvhtbFhUc179qeysF4NuF_7Rf9g |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: vmicvss |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1021014003.00000000019A3000.00000004.00000020.sdmp, explorer.exe, 0000000F.00000000.936184682.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.987848818.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5701113978.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.985595787.000000000D7F0000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703739308.000000000DA04000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.934050366.000000000D7F0000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: DHL Express shipment notification.exe, 0000000E.00000002.1020504850.0000000001947000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWH |
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022206078.0000000003310000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
Source: explorer.exe, 0000000F.00000000.987347269.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.935700971.000000000D995000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000002.5703169506.000000000D995000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW` |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
Source: DHL Express shipment notification.exe, 00000005.00000002.741442541.0000000002DA9000.00000004.00000001.sdmp, DHL Express shipment notification.exe, 0000000E.00000002.1022285511.00000000033D9000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
Source: images.exe, 00000015.00000002.1171933983.0000000002D59000.00000004.00000001.sdmp | Binary or memory string: vmicheartbeat |
Source: DHL Express shipment notification.exe, 00000005.00000002.740302767.0000000002430000.00000004.00000001.sdmp, images.exe, 00000015.00000002.1170610776.0000000002A20000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll |