Loading ...

Play interactive tourEdit tour

Windows Analysis Report DHL Delivery Invoice AWB 2774038374.exe

Overview

General Information

Sample Name:DHL Delivery Invoice AWB 2774038374.exe
Analysis ID:553160
MD5:d746678abd983ee65b7968607de1e18c
SHA1:ac41264273c252b60b7c1fb893324b4f3005c7e6
SHA256:9d69632f6791492fadab28bea034f7f18d29bc67fd6e7db08bdba847487da47f
Tags:AgentTeslaDHLexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL Delivery Invoice AWB 2774038374.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" MD5: D746678ABD983EE65B7968607DE1E18C)
    • powershell.exe (PID: 6412 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5524 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.723647574.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000000.723173768.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    8.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1364
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp, ProcessId: 5524
                      Sigma detected: Powershell Defender ExclusionShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, ProcessId: 6412
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1364
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe" , ParentImage: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe, ParentProcessId: 7072, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe, ProcessId: 6412
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866324229420803.6412.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeVirustotal: Detection: 32%Perma Link
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeAvira: detection malicious, Label: HEUR/AGEN.1140941
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeReversingLabs: Detection: 53%
                      Machine Learning detection for sampleShow sources
                      Source: DHL Delivery Invoice AWB 2774038374.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJoe Sandbox ML: detected
                      Source: 8.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04EB74DC
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_04EBA7A8
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49841 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.4:49841 -> 77.88.21.158:587
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: http://aZnPlk.com
                      Source: RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.c
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701547719.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.701570124.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams.
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsioZ
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702975608.0000000007DBC000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702506205.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702832420.0000000007DBC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtigJ?b
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk):
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730604458.0000000007DB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commta
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtulk7(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703871708.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Curs
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmp, DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0.
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702576543.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.702710173.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A(
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000003.703153587.0000000007DB4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.730707235.0000000008FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963597761.00000000030A1000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963660199.00000000030D4000.00000004.00000001.sdmpString found in binary or memory: https://AhCxzE4BnkjtzVVxo.com
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000008.00000002.964468199.0000000005FDF000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964371485.0000000005F50000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.964419205.0000000005FB0000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963609464.00000000030A7000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.963711074.00000000030EC000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmp, RegSvcs.exe, 00000008.00000002.962103556.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000008.00000000.722291160.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000008.00000002.963115226.0000000002D41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725851648.0000000000C8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DHL Delivery Invoice AWB 2774038374.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: 8.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b6795CDFBu002dEE25u002d4022u002d89C5u002dF50BD8ABB224u007d/u00359E2A7B8u002dD821u002d42DFu002dAA7Au002d1475A5D5A03D.csLarge array initialization: .cctor: array initializer size 11954
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B21F00_2_010B21F0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B10180_2_010B1018
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B30C80_2_010B30C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B04E00_2_010B04E0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B17800_2_010B1780
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B59080_2_010B5908
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B21E00_2_010B21E0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B40180_2_010B4018
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B10170_2_010B1017
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B40170_2_010B4017
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B30950_2_010B3095
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B30C70_2_010B30C7
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010BF3180_2_010BF318
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B52C80_2_010B52C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B52D80_2_010B52D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B546A0_2_010B546A
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B54780_2_010B5478
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B04DF0_2_010B04DF
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B177F0_2_010B177F
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B56E10_2_010B56E1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B56F00_2_010B56F0
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B58F90_2_010B58F9
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010BEC700_2_010BEC70
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E980_2_010B4E98
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E970_2_010B4E97
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB560C0_2_04EB560C
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB80C80_2_04EB80C8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_04EB80D80_2_04EB80D8
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_098600400_2_09860040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B846A08_2_02B846A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B83D508_2_02B83D50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B846308_2_02B84630
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B846108_2_02B84610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02B8D2E08_2_02B8D2E0
                      Source: DHL Delivery Invoice AWB 2774038374.exeBinary or memory string: OriginalFilename vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.731493441.0000000009700000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000000.695437793.00000000005E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725443597.0000000000666000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.726607021.00000000029E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepTMxytDGOEdKyjoZeSonSzqfykSeH.exe4 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.728081000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepTMxytDGOEdKyjoZeSonSzqfykSeH.exe4 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exe, 00000000.00000002.725851648.0000000000C8B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exeBinary or memory string: OriginalFilenameKeywor.exe8 vs DHL Delivery Invoice AWB 2774038374.exe
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: IpkVblcOW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DHL Delivery Invoice AWB 2774038374.exeVirustotal: Detection: 32%
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile read: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeJump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe "C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exe"
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IpkVblcOW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmpJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE166.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/9@4/1
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_01
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL Delivery Invoice AWB 2774038374.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeUnpacked PE file: 0.2.DHL Delivery Invoice AWB 2774038374.exe.5e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_005E2C3C pushfd ; iretd 0_2_005E2C51
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_005E2C31 pushfd ; iretd 0_2_005E2C51
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B6452 pushfd ; iretd 0_2_010B6453
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1770 push esp; ret 0_2_010B1771
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B285F push ebx; ret 0_2_010B2860
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B58B8 push eax; ret 0_2_010B58C6
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2A99 push ebx; ret 0_2_010B2A9A
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2DB2 push ebx; ret 0_2_010B2DB3
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B1CED push ecx; ret 0_2_010B1CEF
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2F09 push eax; ret 0_2_010B2F0A
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B2F3C push ebx; ret 0_2_010B2F44
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B3FD0 push ebx; ret 0_2_010B3FDE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_010B4E88 push ecx; ret 0_2_010B4E96
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863302 push edi; iretd 0_2_09863303
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_098632AF pushfd ; iretd 0_2_098632BE
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863743 push ss; retf 0_2_09863744
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeCode function: 0_2_09863EBD pushfd ; ret 0_2_09863EBE
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.71584990689
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.71584990689
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeFile created: C:\Users\user\AppData\Roaming\IpkVblcOW.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IpkVblcOW" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL Delivery Invoice AWB 2774038374.exeProcess information set: NOOPENFILEERRORBOX