Windows Analysis Report
DHL SHIPMENT NOTIFICATION 1146789443.bat

Overview

General Information

Sample Name: DHL SHIPMENT NOTIFICATION 1146789443.bat (renamed file extension from bat to exe)
Analysis ID: 626594
MD5: f883d433fab3b7ae0c25625e75a03b38
SHA1: d29ddef177a748397abef51f7ec2188fc06506d5
SHA256: 0606d4bc2c27f402be8e98ba28d3af0d35c1c85d3be43690fabe971a687af9ed
Tags: batDHLexe
Infos:

Detection

AgentTesla, AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Increases the number of concurrent connection per server for Internet Explorer
Tries to harvest and steal ftp login credentials
Contains functionality to hide user accounts
Modifies the hosts file
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: 76.8.53.133 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Avira: detection malicious, Label: TR/Redcap.ghjpt
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 14.0.INVESTORORIGIN.exe.10000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ikesend@exportersglobe.com", "Password": "MnmPsqBteq4_", "Host": "mail.exportersglobe.com"}
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "76.8.53.133", "port": 1198}
Multi AV Scanner detection for submitted file
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe ReversingLabs: Detection: 17%
Yara detected AveMaria stealer
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.6.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack Avira: Label: TR/Redcap.ghjpt
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 15_2_00B4B15E
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4CAFC CryptUnprotectData,LocalAlloc,LocalFree, 15_2_00B4CAFC
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 15_2_00B4CCB4
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 15_2_00B4CC54
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 15_2_00B4A632
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4CF58 LocalAlloc,BCryptDecrypt,LocalFree, 15_2_00B4CF58

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVESTORORIGN.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
Uses 32bit PE files
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Directory created: C:\Program Files\Microsoft DN1
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.pdbMZ@ source: WER5763.tmp.dmp.22.dr
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Management.pdbx source: WER5763.tmp.dmp.22.dr
Source: Binary string: .pdb5( source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: i,C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb\ source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdbMicrosoft.VisualBasic.dll source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: CustomMarshalers.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.PDB source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdb' source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Management.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: INVESTORORIGIN.PDB1n4 source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5763.tmp.dmp.22.dr
Source: Binary string: CustomMarshalers.pdbCA source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600210188.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B5002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 15_2_00B5002B
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B49DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 15_2_00B49DF6
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4FF27 FindFirstFileW,FindNextFileW, 15_2_00B4FF27

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 76.8.53.133
Contains functionality to download and execute PE files
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B427D3 URLDownloadToFileW,ShellExecuteW, 15_2_00B427D3
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49782 -> 76.8.53.133:1198
Source: global traffic TCP traffic: 192.168.2.5:49787 -> 51.210.156.152:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49787 -> 51.210.156.152:587
Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidPsi/Psi
Source: INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://FuVaco.com
Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.veris
Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exportersglobe.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.exportersglobe.com
Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446140453.0000000005BFE000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446201983.0000000005BFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comN%CL.
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml%
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comr%wL0
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comsmJ
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514410373.0000000001307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.c
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com0
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com2
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.coma
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.como
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comt
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.14.dr String found in binary or memory: http://x1.i.lencr.org/
Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%
Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org%facebooktwittergmailinstagrammovieskypepornhackwhatsappdiscordemailpassword%st
Source: INVESTORORIGIN.exe, 0000000E.00000000.560098397.0000000002876000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.560117509.000000000287E000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564503411.0000000002802000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gdvnpTNIZqNaaR.net
Source: INVESTORORIGN.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe.10.dr String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.exportersglobe.com
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4562F setsockopt,recv,recv, 15_2_00B4562F
Source: unknown TCP traffic detected without corresponding DNS query: 76.8.53.133
Source: unknown TCP traffic detected without corresponding DNS query: 76.8.53.133
Source: unknown TCP traffic detected without corresponding DNS query: 76.8.53.133
Source: unknown TCP traffic detected without corresponding DNS query: 76.8.53.133
Source: unknown TCP traffic detected without corresponding DNS query: 76.8.53.133
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B489D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 15_2_00B489D5
Creates a DirectInput object (often for capturing keystrokes)
Source: INVESTORORIGIN.exe, 0000000E.00000000.558657087.00000000006AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: AveMaria_WarZone Author: unknown
.NET source code contains very large array initializations
Source: INVESTORORIGIN.exe.10.dr, u003cPrivateImplementationDetailsu003eu007b70D0A5BAu002d1C44u002d4583u002d9D7Au002d77668B4AAE66u007d/u003901CB1DCu002d6E5Eu002d4AAFu002d85E2u002d232FBC1878B9.cs Large array initialization: .cctor: array initializer size 11747
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356
Detected potential crypto function
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_006DBA77 0_2_006DBA77
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_006D9E44 0_2_006D9E44
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_006DC017 0_2_006DC017
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00F14139 0_2_00F14139
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00F1EDF0 0_2_00F1EDF0
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00F1EDE0 0_2_00F1EDE0
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_00F1DA1C 0_2_00F1DA1C
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_07334713 0_2_07334713
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_073386C0 0_2_073386C0
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_07330040 0_2_07330040
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_07337970 0_2_07337970
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 0_2_073318D8 0_2_073318D8
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 10_2_00DD9E44 10_2_00DD9E44
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 10_2_00DDBA77 10_2_00DDBA77
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Code function: 10_2_00DDC017 10_2_00DDC017
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_00012AB8 14_2_00012AB8
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_0001A448 14_2_0001A448
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_000126CF 14_2_000126CF
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_0224F640 14_2_0224F640
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_0224F988 14_2_0224F988
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_0224B1A8 14_2_0224B1A8
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_02241970 14_2_02241970
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DBC7E8 14_2_05DBC7E8
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DB9358 14_2_05DB9358
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DBB308 14_2_05DBB308
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DBC784 14_2_05DBC784
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DBB980 14_2_05DBB980
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DBB1B8 14_2_05DBB1B8
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DB3330 14_2_05DB3330
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B51BF8 15_2_00B51BF8
Uses 32bit PE files
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: String function: 00B50969 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: String function: 00B435E5 appears 40 times
PE file contains executable resources (Code or Archives)
Source: INVESTORORIGN.exe.10.dr Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.519892559.000000000409C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.520085763.0000000004185000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.512802149.00000000007C8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.522886817.0000000007580000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521256518.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFort.dll" vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.515834568.0000000003B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.527237179.0000000000EC8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.526737674.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamehfOZAZnvDpxmlwGBMbem.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Binary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ZWLqFmhrZsaGO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@14/17@3/2
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 15_2_00B4D49C
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B530B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 15_2_00B530B3
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe File created: C:\Program Files\Microsoft DN1
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File read: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe"
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe"
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 15_2_00B4F619
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Local\Temp\tmp8559.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B5290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize, 15_2_00B5290F
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B520B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 15_2_00B520B8
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Mutant created: \Sessions\1\BaseNamedObjects\ELJDrVL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6928
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe String found in binary or memory: BatchTabLayout#tableLayoutPanel4+ProcessEndOfDayButton!!ProcessEndOfDay1LoadTruckRouteFileButton'!LoadTruckRouteFile3LoadTruckDriverFileButton)!LoadTruckDriverFileOLoadOverallInventoryExtensionFileButtonE!LoadOverallInventoryExtensionFile=LoadOverallInventoryFileButton3!LoadOverallInventoryFile9LoadTruckInventoryFileButton/!LoadTruckInventoryFile/LoadTruckFuelFileButton%!LoadTruckFuelFile'LoadTruckFileButton
Source: INVESTORORIGIN.exe.10.dr, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: INVESTORORIGIN.exe.10.dr, A/F1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Directory created: C:\Program Files\Microsoft DN1
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.pdbMZ@ source: WER5763.tmp.dmp.22.dr
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Management.pdbx source: WER5763.tmp.dmp.22.dr
Source: Binary string: .pdb5( source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: i,C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb\ source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdbMicrosoft.VisualBasic.dll source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: CustomMarshalers.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.PDB source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdb' source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Management.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: INVESTORORIGIN.PDB1n4 source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5763.tmp.dmp.22.dr
Source: Binary string: CustomMarshalers.pdbCA source: WER5763.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600210188.0000000006126000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER5763.tmp.dmp.22.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ZWLqFmhrZsaGO.exe.0.dr, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.5.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.7.unpack, IceCreamManager/View/MainForm.cs .Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: ZWLqFmhrZsaGO.exe.0.dr, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: 0.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: 0.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.5.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.1.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.7.unpack, IceCreamManager/View/MainForm.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DB2177 push edi; retn 0000h 14_2_05DB2179
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B41190 push eax; ret 15_2_00B411A4
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B41190 push eax; ret 15_2_00B411CC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4FA42 LoadLibraryA,GetProcAddress, 15_2_00B4FA42
Source: initial sample Static PE information: section name: .text entropy: 7.76755151978
Source: initial sample Static PE information: section name: .text entropy: 7.76755151978
Contains functionality to create new users
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4D418 NetUserAdd,NetLocalGroupAddMembers, 15_2_00B4D418
Drops PE files
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Jump to dropped file
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe File created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B427D3 URLDownloadToFileW,ShellExecuteW, 15_2_00B427D3
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 15_2_00B4AC0A
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 15_2_00B4A6C8

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 15_2_00B4D508

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete
Contains functionality to hide user accounts
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: INVESTORORIGN.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: INVESTORORIGN.exe.10.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: INVESTORORIGN.exe.10.dr String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 7052, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7056 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6436 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6432 Thread sleep count: 4249 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6432 Thread sleep count: 4402 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 4028 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe TID: 6908 Thread sleep count: 60 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 15_2_00B4DA5B
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6957 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Window / User API: threadDelayed 4249 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Window / User API: threadDelayed 4402 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B5002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 15_2_00B5002B
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe API call chain: ExitProcess graph end node
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: INVESTORORIGIN.exe, 0000000E.00000000.561609593.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600419354.00000000061D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWrg
Source: INVESTORORIGIN.exe, 0000000E.00000000.561609593.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600419354.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B49DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 15_2_00B49DF6
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4FF27 FindFirstFileW,FindNextFileW, 15_2_00B4FF27
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4FA42 LoadLibraryA,GetProcAddress, 15_2_00B4FA42
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B5094E mov eax, dword ptr fs:[00000030h] 15_2_00B5094E
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B50620 mov eax, dword ptr fs:[00000030h] 15_2_00B50620
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B50619 mov eax, dword ptr fs:[00000030h] 15_2_00B50619
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process queried: DebugPort Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B41085 GetProcessHeap,RtlAllocateHeap, 15_2_00B41085
Enables debug privileges
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Code function: 14_2_05DB9358 LdrInitializeThunk, 14_2_05DB9358
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Memory written: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe base: 400000 value starts with: 4D5A Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Jump to behavior
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B479E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 15_2_00B479E8
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B51FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 15_2_00B51FD8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 15_2_00B520B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe" Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Process created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 15_2_00B4F56D
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B518BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 15_2_00B518BA
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4F93F cpuid 15_2_00B4F93F
Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: 15_2_00B4882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA, 15_2_00B4882F

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10
Modifies the hosts file
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED
Source: Yara match File source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Contains functionality to steal e-mail passwords
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: POP3 Password 15_2_00B4A29A
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: SMTP Password 15_2_00B4A29A
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: IMAP Password 15_2_00B4A29A
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: \Google\Chrome\User Data\Default\Login Data 15_2_00B4C1B2
Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe Code function: \Chromium\User Data\Default\Login Data 15_2_00B4C1B2
Yara detected Credential Stealer
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVESTORORIGN.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED
Source: Yara match File source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626594 Sample: DHL SHIPMENT NOTIFICATION 1... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 16 other signatures 2->60 8 DHL SHIPMENT NOTIFICATION 1146789443.exe 7 2->8         started        process3 file4 34 C:\Users\user\AppData\...\ZWLqFmhrZsaGO.exe, PE32 8->34 dropped 36 C:\...\ZWLqFmhrZsaGO.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8559.tmp, XML 8->38 dropped 40 DHL SHIPMENT NOTIF... 1146789443.exe.log, ASCII 8->40 dropped 78 Adds a directory exclusion to Windows Defender 8->78 80 Injects a PE file into a foreign processes 8->80 12 DHL SHIPMENT NOTIFICATION 1146789443.exe 3 8->12         started        15 powershell.exe 25 8->15         started        17 schtasks.exe 1 8->17         started        signatures5 process6 file7 42 C:\Users\user\AppData\...\INVESTORORIGN.exe, PE32 12->42 dropped 44 C:\Users\user\AppData\...\INVESTORORIGIN.exe, PE32 12->44 dropped 19 INVESTORORIGIN.exe 4 12->19         started        24 INVESTORORIGN.exe 12->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process8 dnsIp9 46 exportersglobe.com 51.210.156.152, 49787, 587 OVHFR France 19->46 48 x1.i.lencr.org 19->48 50 mail.exportersglobe.com 19->50 32 C:\Windows\System32\drivers\etc\hosts, ASCII 19->32 dropped 62 Antivirus detection for dropped file 19->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->66 74 5 other signatures 19->74 30 WerFault.exe 19->30         started        52 76.8.53.133, 1198, 49782, 49805 QUONIXNETUS United States 24->52 68 Machine Learning detection for dropped file 24->68 70 Contains functionality to inject threads in other processes 24->70 72 Contains functionality to steal Chrome passwords or cookies 24->72 76 3 other signatures 24->76 file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
76.8.53.133
 unknown United States
17185 QUONIXNETUS true
51.210.156.152
 exportersglobe.com France
16276 OVHFR false

Contacted Domains

Name IP Active
exportersglobe.com 51.210.156.152 true
mail.exportersglobe.com unknown unknown
x1.i.lencr.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
76.8.53.133 true
  • Avira URL Cloud: malware
 unknown