Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL SHIPMENT NOTIFICATION 1146789443.bat

Overview

General Information

Sample Name:DHL SHIPMENT NOTIFICATION 1146789443.bat (renamed file extension from bat to exe)
Analysis ID:626594
MD5:f883d433fab3b7ae0c25625e75a03b38
SHA1:d29ddef177a748397abef51f7ec2188fc06506d5
SHA256:0606d4bc2c27f402be8e98ba28d3af0d35c1c85d3be43690fabe971a687af9ed
Tags:batDHLexe
Infos:

Detection

AgentTesla, AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Increases the number of concurrent connection per server for Internet Explorer
Tries to harvest and steal ftp login credentials
Contains functionality to hide user accounts
Modifies the hosts file
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe" MD5: F883D433FAB3B7AE0C25625E75A03B38)
    • powershell.exe (PID: 6492 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6568 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHL SHIPMENT NOTIFICATION 1146789443.exe (PID: 5556 cmdline: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe MD5: F883D433FAB3B7AE0C25625E75A03B38)
      • INVESTORORIGIN.exe (PID: 6928 cmdline: "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe" MD5: 138E534107A536F319734BFD7A23C8A3)
        • WerFault.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • INVESTORORIGN.exe (PID: 6872 cmdline: "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe" MD5: 68FE2DCF9C615A4A55AAA75A11E1F8F0)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "76.8.53.133", "port": 1198}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ikesend@exportersglobe.com", "Password": "MnmPsqBteq4_", "Host": "mail.exportersglobe.com"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
      • 0x32f79:$s10: logins
      • 0x329e0:$s11: credential
      • 0x2ef98:$g1: get_Clipboard
      • 0x2efa6:$g2: get_Keyboard
      • 0x2efb3:$g3: get_Password
      • 0x302b3:$g4: get_CtrlKeyDown
      • 0x302c3:$g5: get_ShiftKeyDown
      • 0x302d4:$g6: get_AltKeyDown
      C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x191f0:$c1: Elevation:Administrator!new:
      Click to see the 7 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 68 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                15.3.INVESTORORIGN.exe.930630.0.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                15.3.INVESTORORIGN.exe.930630.0.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0xd80:$c1: Elevation:Administrator!new:
                15.3.INVESTORORIGN.exe.930630.0.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
                  15.2.INVESTORORIGN.exe.b40000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                  • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                  15.2.INVESTORORIGN.exe.b40000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                  • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                  • 0x191f0:$c1: Elevation:Administrator!new:
                  Click to see the 93 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: 76.8.53.133Avira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeAvira: detection malicious, Label: TR/Redcap.ghjpt
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeAvira: detection malicious, Label: TR/Spy.Gen8
                  Found malware configuration
                  Source: 14.0.INVESTORORIGIN.exe.10000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ikesend@exportersglobe.com", "Password": "MnmPsqBteq4_", "Host": "mail.exportersglobe.com"}
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "76.8.53.133", "port": 1198}
                  Multi AV Scanner detection for submitted file
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 17%
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exeReversingLabs: Detection: 17%
                  Machine Learning detection for sample
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJoe Sandbox ML: detected
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpackAvira: Label: TR/Redcap.ghjpt
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpackAvira: Label: TR/Redcap.ghjpt
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpackAvira: Label: TR/Redcap.ghjpt
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpackAvira: Label: TR/Redcap.ghjpt
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpackAvira: Label: TR/Redcap.ghjpt
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4CAFC CryptUnprotectData,LocalAlloc,LocalFree,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4CF58 LocalAlloc,BCryptDecrypt,LocalFree,

                  Exploits

                  barindex
                  Yara detected UACMe UAC Bypass tool
                  Source: Yara matchFile source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: INVESTORORIGN.exe PID: 6872, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeDirectory created: C:\Program Files\Microsoft DN1
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.pdbMZ@ source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Management.pdbx source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: .pdb5( source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: i,C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb\ source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.pdbMicrosoft.VisualBasic.dll source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: CustomMarshalers.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Core.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.PDB source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Windows.Forms.pdb' source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Management.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: INVESTORORIGIN.PDB1n4 source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: CustomMarshalers.pdbCA source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600210188.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B5002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B49DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4FF27 FindFirstFileW,FindNextFileW,

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 76.8.53.133
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B427D3 URLDownloadToFileW,ShellExecuteW,
                  Source: global trafficTCP traffic: 192.168.2.5:49782 -> 76.8.53.133:1198
                  Source: global trafficTCP traffic: 192.168.2.5:49787 -> 51.210.156.152:587
                  Source: global trafficTCP traffic: 192.168.2.5:49787 -> 51.210.156.152:587
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidPsi/Psi
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://FuVaco.com
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://exportersglobe.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.exportersglobe.com
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446140453.0000000005BFE000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446201983.0000000005BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comN%CL.
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml%
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comr%wL0
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comsmJ
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514410373.0000000001307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com0
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.como
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comt
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.14.drString found in binary or memory: http://x1.i.lencr.org/
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%facebooktwittergmailinstagrammovieskypepornhackwhatsappdiscordemailpassword%st
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.560098397.0000000002876000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.560117509.000000000287E000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564503411.0000000002802000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gdvnpTNIZqNaaR.net
                  Source: INVESTORORIGN.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe.10.drString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: mail.exportersglobe.com
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4562F setsockopt,recv,recv,
                  Source: unknownTCP traffic detected without corresponding DNS query: 76.8.53.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 76.8.53.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 76.8.53.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 76.8.53.133
                  Source: unknownTCP traffic detected without corresponding DNS query: 76.8.53.133
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B489D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.558657087.00000000006AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

                  E-Banking Fraud

                  barindex
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Modifies the hosts file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPEDMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: AveMaria_WarZone Author: unknown
                  .NET source code contains very large array initializations
                  Source: INVESTORORIGIN.exe.10.dr, u003cPrivateImplementationDetailsu003eu007b70D0A5BAu002d1C44u002d4583u002d9D7Au002d77668B4AAE66u007d/u003901CB1DCu002d6E5Eu002d4AAFu002d85E2u002d232FBC1878B9.csLarge array initialization: .cctor: array initializer size 11747
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_006DBA77
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_006D9E44
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_006DC017
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00F14139
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00F1EDF0
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00F1EDE0
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_00F1DA1C
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_07334713
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_073386C0
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_07330040
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_07337970
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 0_2_073318D8
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 10_2_00DD9E44
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 10_2_00DDBA77
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeCode function: 10_2_00DDC017
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_00012AB8
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_0001A448
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_000126CF
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_0224F640
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_0224F988
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_0224B1A8
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_02241970
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DBC7E8
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DB9358
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DBB308
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DBC784
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DBB980
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DBB1B8
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DB3330
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B51BF8
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.3.INVESTORORIGN.exe.930630.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.3.INVESTORORIGN.exe.930630.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.2.INVESTORORIGN.exe.2bc0490.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPEDMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPEDMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: String function: 00B50969 appears 47 times
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: String function: 00B435E5 appears 40 times
                  Source: INVESTORORIGN.exe.10.drStatic PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.519892559.000000000409C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.520085763.0000000004185000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.512802149.00000000007C8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.522886817.0000000007580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521256518.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFort.dll" vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.515834568.0000000003B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.527237179.0000000000EC8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.526737674.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameINVESTORORIGIN FILE.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehfOZAZnvDpxmlwGBMbem.exe4 vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeBinary or memory string: OriginalFilenamecDisplayClass.exe* vs DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: ZWLqFmhrZsaGO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exeJump to behavior
                  Source: classification engineClassification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@14/17@3/2
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B530B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeFile created: C:\Program Files\Microsoft DN1
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeReversingLabs: Detection: 17%
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile read: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeJump to behavior
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe "C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe"
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe"
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe"
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe"
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8559.tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B5290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B520B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeMutant created: \Sessions\1\BaseNamedObjects\ELJDrVL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6928
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_01
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeString found in binary or memory: BatchTabLayout#tableLayoutPanel4+ProcessEndOfDayButton!!ProcessEndOfDay1LoadTruckRouteFileButton'!LoadTruckRouteFile3LoadTruckDriverFileButton)!LoadTruckDriverFileOLoadOverallInventoryExtensionFileButtonE!LoadOverallInventoryExtensionFile=LoadOverallInventoryFileButton3!LoadOverallInventoryFile9LoadTruckInventoryFileButton/!LoadTruckInventoryFile/LoadTruckFuelFileButton%!LoadTruckFuelFile'LoadTruckFileButton
                  Source: INVESTORORIGIN.exe.10.dr, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: INVESTORORIGIN.exe.10.dr, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeDirectory created: C:\Program Files\Microsoft DN1
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: System.Core.ni.pdbRSDSD source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.pdbMZ@ source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Management.pdbx source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: .pdb5( source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: i,C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb\ source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.pdbMicrosoft.VisualBasic.dll source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: CustomMarshalers.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Core.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.PDB source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Windows.Forms.pdb' source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Management.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: INVESTORORIGIN.PDB1n4 source: INVESTORORIGIN.exe, 0000000E.00000002.596135912.00000000001D8000.00000004.00000010.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558259633.00000000001D8000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: CustomMarshalers.pdbCA source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS source: WER5763.tmp.dmp.22.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: INVESTORORIGIN.exe, 0000000E.00000000.561504236.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.567489867.0000000006126000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600210188.0000000006126000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER5763.tmp.dmp.22.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: ZWLqFmhrZsaGO.exe.0.dr, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.5.unpack, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.1.unpack, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.7.unpack, IceCreamManager/View/MainForm.cs.Net Code: iiiii System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: ZWLqFmhrZsaGO.exe.0.dr, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: 0.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: 0.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.6d0000.0.unpack, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.5.unpack, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.1.unpack, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: 10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.dd0000.7.unpack, IceCreamManager/View/MainForm.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "46696C654173736F63696174696F6E456E", "4E415337514175", "IceCreamManager" } }, null, null)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DB2177 push edi; retn 0000h
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B41190 push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B41190 push eax; ret
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4FA42 LoadLibraryA,GetProcAddress,
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.76755151978
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.76755151978
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4D418 NetUserAdd,NetLocalGroupAddMembers,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeJump to dropped file
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exeJump to dropped file
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeFile created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B427D3 URLDownloadToFileW,ShellExecuteW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete
                  Contains functionality to hide user accounts
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                  Source: INVESTORORIGN.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                  Source: INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                  Source: INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                  Source: INVESTORORIGN.exe.10.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: INVESTORORIGN.exe.10.drString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 7052, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7056Thread sleep time: -45733s >= -30000s
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7084Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4112Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe TID: 7140Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6436Thread sleep time: -23058430092136925s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6432Thread sleep count: 4249 > 30
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 6432Thread sleep count: 4402 > 30
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe TID: 4028Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe TID: 6908Thread sleep count: 60 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6957
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWindow / User API: threadDelayed 4249
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWindow / User API: threadDelayed 4402
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeThread delayed: delay time: 45733
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B5002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeAPI call chain: ExitProcess graph end node
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561609593.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600419354.00000000061D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWrg
                  Source: INVESTORORIGIN.exe, 0000000E.00000000.561609593.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600419354.00000000061D1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B49DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4FF27 FindFirstFileW,FindNextFileW,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4FA42 LoadLibraryA,GetProcAddress,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B5094E mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B50620 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B50619 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B41085 GetProcessHeap,RtlAllocateHeap,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeCode function: 14_2_05DB9358 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeMemory written: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe base: 400000 value starts with: 4D5A
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                  Modifies the hosts file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Contains functionality to inject threads in other processes
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B479E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B51FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe"
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeProcess created: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe "C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe"
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B518BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe VolumeInformation
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4F93F cpuid
                  Source: C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: 15_2_00B4882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Increases the number of concurrent connection per server for Internet Explorer
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10
                  Modifies the hosts file
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED
                  Source: Yara matchFile source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Contains functionality to steal e-mail passwords
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: POP3 Password
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: SMTP Password
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: IMAP Password
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: \Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exeCode function: \Chromium\User Data\Default\Login Data
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: INVESTORORIGN.exe PID: 6872, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.INVESTORORIGIN.exe.10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.INVESTORORIGIN.exe.10000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4468f18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, type: DROPPED
                  Source: Yara matchFile source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DHL SHIPMENT NOTIFICATION 1146789443.exe PID: 5556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: INVESTORORIGIN.exe PID: 6928, type: MEMORYSTR
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 15.2.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.INVESTORORIGN.exe.b40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.4450aa8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		1
                  Create Account                  		1
                  Access Token Manipulation                  		1
                  File and Directory Permissions Modification                  		4
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium21
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                  Endpoint Denial of Service
                  Default Accounts1
                  Native API                  		1
                  Windows Service                  		1
                  Windows Service                  		11
                  Disable or Modify Tools                  		31
                  Input Capture                  		1
                  System Service Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		Exfiltration Over Bluetooth2
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		221
                  Process Injection                  		11
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		3
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local Accounts1
                  Scheduled Task/Job                  		Logon Script (Mac)1
                  Scheduled Task/Job                  		3
                  Obfuscated Files or Information                  		1
                  Credentials In Files                  		125
                  System Information Discovery                  		Distributed Component Object Model31
                  Input Capture                  		Scheduled Transfer1
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud Accounts2
                  Service Execution                  		Network Logon ScriptNetwork Logon Script23
                  Software Packing                  		LSA Secrets1
                  Query Registry                  		SSHKeyloggingData Transfer Size Limits111
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common3
                  Masquerading                  		Cached Domain Credentials331
                  Security Software Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync141
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem2
                  Process Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)221
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Files and Directories                  		Network Sniffing1
                  Remote System Discovery                  		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
                  Hidden Users                  		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 626594 Sample: DHL SHIPMENT NOTIFICATION 1... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 16 other signatures 2->60 8 DHL SHIPMENT NOTIFICATION 1146789443.exe 7 2->8         started        process3 file4 34 C:\Users\user\AppData\...\ZWLqFmhrZsaGO.exe, PE32 8->34 dropped 36 C:\...\ZWLqFmhrZsaGO.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8559.tmp, XML 8->38 dropped 40 DHL SHIPMENT NOTIF... 1146789443.exe.log, ASCII 8->40 dropped 78 Adds a directory exclusion to Windows Defender 8->78 80 Injects a PE file into a foreign processes 8->80 12 DHL SHIPMENT NOTIFICATION 1146789443.exe 3 8->12         started        15 powershell.exe 25 8->15         started        17 schtasks.exe 1 8->17         started        signatures5 process6 file7 42 C:\Users\user\AppData\...\INVESTORORIGN.exe, PE32 12->42 dropped 44 C:\Users\user\AppData\...\INVESTORORIGIN.exe, PE32 12->44 dropped 19 INVESTORORIGIN.exe 4 12->19         started        24 INVESTORORIGN.exe 12->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process8 dnsIp9 46 exportersglobe.com 51.210.156.152, 49787, 587 OVHFR France 19->46 48 x1.i.lencr.org 19->48 50 mail.exportersglobe.com 19->50 32 C:\Windows\System32\drivers\etc\hosts, ASCII 19->32 dropped 62 Antivirus detection for dropped file 19->62 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->64 66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->66 74 5 other signatures 19->74 30 WerFault.exe 19->30         started        52 76.8.53.133, 1198, 49782, 49805 QUONIXNETUS United States 24->52 68 Machine Learning detection for dropped file 24->68 70 Contains functionality to inject threads in other processes 24->70 72 Contains functionality to steal Chrome passwords or cookies 24->72 76 3 other signatures 24->76 file10 signatures11 process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DHL SHIPMENT NOTIFICATION 1146789443.exe17%ReversingLabsByteCode-MSIL.Trojan.Taskun
                  DHL SHIPMENT NOTIFICATION 1146789443.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe100%AviraTR/Redcap.ghjpt
                  C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe100%AviraTR/Spy.Gen8
                  C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe17%ReversingLabsByteCode-MSIL.Trojan.Taskun

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  15.0.INVESTORORIGN.exe.b40000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                  10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  14.0.INVESTORORIGIN.exe.10000.0.unpack100%AviraHEUR/AGEN.1203035Download File
                  14.0.INVESTORORIGIN.exe.10000.5.unpack100%AviraHEUR/AGEN.1203035Download File
                  14.0.INVESTORORIGIN.exe.10000.3.unpack100%AviraHEUR/AGEN.1203035Download File
                  14.0.INVESTORORIGIN.exe.10000.2.unpack100%AviraHEUR/AGEN.1203035Download File
                  10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  15.2.INVESTORORIGN.exe.b40000.0.unpack100%AviraTR/Redcap.ghjptDownload File
                  10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  14.0.INVESTORORIGIN.exe.10000.1.unpack100%AviraHEUR/AGEN.1203035Download File
                  15.0.INVESTORORIGN.exe.b40000.6.unpack100%AviraTR/Redcap.ghjptDownload File
                  14.2.INVESTORORIGIN.exe.10000.0.unpack100%AviraHEUR/AGEN.1203035Download File
                  10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  10.2.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  15.0.INVESTORORIGN.exe.b40000.4.unpack100%AviraTR/Redcap.ghjptDownload File
                  14.0.INVESTORORIGIN.exe.10000.4.unpack100%AviraHEUR/AGEN.1203035Download File
                  10.0.DHL SHIPMENT NOTIFICATION 1146789443.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                  15.0.INVESTORORIGN.exe.b40000.2.unpack100%AviraTR/Redcap.ghjptDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.sajatypeworks.com00%Avira URL Cloudsafe
                  http://www.sajatypeworks.com20%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.founder.c0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  https://gdvnpTNIZqNaaR.net0%Avira URL Cloudsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://www.carterandcone.coml%0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.carterandcone.comsmJ0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.carterandcone.comr%wL00%Avira URL Cloudsafe
                  http://crl.veris0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://FuVaco.com0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.coma0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  http://www.carterandcone.comN%CL.0%Avira URL Cloudsafe
                  http://x1.i.lencr.org/0%URL Reputationsafe
                  76.8.53.133100%Avira URL Cloudmalware
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://www.tiro.comt0%URL Reputationsafe
                  http://www.tiro.como0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidPsi/Psi0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  https://api.ipify.org%facebooktwittergmailinstagrammovieskypepornhackwhatsappdiscordemailpassword%st0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  exportersglobe.com
                  		51.210.156.152
                  		truefalse
                    		high
                    mail.exportersglobe.com
                    		unknown
                    		unknownfalse
                      		high
                      x1.i.lencr.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        76.8.53.133true
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sajatypeworks.com0DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.com2DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.cDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.goodfont.co.krDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://gdvnpTNIZqNaaR.netINVESTORORIGIN.exe, 0000000E.00000000.560098397.0000000002876000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.560117509.000000000287E000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564503411.0000000002802000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446140453.0000000005BFE000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.446201983.0000000005BFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/syohex/java-simple-mine-sweeperINVESTORORIGN.exefalse
                                  		high
                                  http://r3.i.lencr.org/0INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.coml%DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.sajatypeworks.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comsmJDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comr%wL0DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://crl.verisINVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.c.lencr.org/0INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.i.lencr.org/0INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://r3.o.lencr.org0INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://FuVaco.comINVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comaDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.437881619.0000000005C0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%INVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://www.carterandcone.comN%CL.DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.445951364.0000000005BFD000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.443725716.0000000005BF5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.apache.org/licenses/LICENSE-2.0DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.514410373.0000000001307000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://x1.i.lencr.org/INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.14.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://cps.letsencrypt.org0INVESTORORIGIN.exe, 0000000E.00000000.561485586.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.600185823.0000000006120000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.564579076.0000000002852000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.596649630.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563092562.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.558741932.00000000006DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comtDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.comoDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441138599.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwINVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmp, DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000003.441000147.0000000005BF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlDHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://DynDns.comDynDNSnamejidPsi/PsiINVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8DHL SHIPMENT NOTIFICATION 1146789443.exe, 00000000.00000002.521726377.0000000006E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.ipify.org%facebooktwittergmailinstagrammovieskypepornhackwhatsappdiscordemailpassword%stINVESTORORIGIN.exe, 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGIN.exe, 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://github.com/syohex/java-simple-mine-sweeperC:DHL SHIPMENT NOTIFICATION 1146789443.exe, 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe, 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, INVESTORORIGN.exe, 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, INVESTORORIGN.exe.10.drfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  76.8.53.133
                                                  		unknownUnited States
                                                  		17185QUONIXNETUStrue
                                                  51.210.156.152
                                                  		exportersglobe.comFrance
                                                  		16276OVHFRfalse

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:626594
                                                  Start date and time: 14/05/202215:09:352022-05-14 15:09:35 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 13m 41s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:DHL SHIPMENT NOTIFICATION 1146789443.bat (renamed file extension from bat to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:31
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.phis.troj.adwa.spyw.expl.evad.winEXE@14/17@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HDC Information:
                                                  • Successful, ratio: 8.7% (good quality ratio 8.6%)
                                                  • Quality average: 88.1%
                                                  • Quality standard deviation: 20.3%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.50.97.168, 20.189.173.20
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Execution Graph export aborted for target DHL SHIPMENT NOTIFICATION 1146789443.exe, PID 5556 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  15:11:07API Interceptor2x Sleep call for process: DHL SHIPMENT NOTIFICATION 1146789443.exe modified
                                                  15:11:15API Interceptor37x Sleep call for process: powershell.exe modified
                                                  15:11:35API Interceptor143x Sleep call for process: INVESTORORIGIN.exe modified
                                                  15:12:05API Interceptor1x Sleep call for process: WerFault.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_INVESTORORIGIN.e_77f278dc5a2c1c3935eb52616b8cb594c251e8e_0e345062_1a0b7f2e\Report.wer

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):1.2592822441229328
                                                  Encrypted:false
                                                  SSDEEP:192:DgFS7ubdHBUZMXqaKeCvYLTy/u7sQS274ItVM:DOS7uBBUZMXqaeeTy/u7sQX4ItVM
                                                  MD5:BCD112C816C0E8D78C183A24846CB0FE
                                                  SHA1:F7E7193CE66FFD736AA86D612CAF5E07B1EF2EBB
                                                  SHA-256:4D57D837C86736130374FF8D70070046C768CDE5F6D61F221C8B0E1725E0658D
                                                  SHA-512:6322BF29729CAD6A3DA4DCD555444385D227B6732C6E4D13AB5E01285BA79EE612FF71D8B99530C4C0A2C250FEAA2C6C583C23F9609D5F820443988971E524D2
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.0.3.9.9.1.5.4.8.9.5.5.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.0.3.9.9.2.4.3.3.8.6.8.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.5.8.a.9.f.d.-.b.2.5.5.-.4.1.b.b.-.9.b.7.c.-.c.5.c.9.9.4.e.3.5.a.7.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.e.5.a.5.0.b.-.d.d.f.f.-.4.d.e.c.-.b.d.0.8.-.1.9.b.3.c.9.a.2.c.9.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.V.E.S.T.O.R.O.R.I.G.I.N...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.h.f.O.Z.A.Z.n.v.D.p.x.m.l.w.G.B.M.b.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.1.0.-.0.0.0.1.-.0.0.1.7.-.7.7.7.c.-.6.1.9.0.d.f.6.7.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.2.9.e.0.d.3.f.7.f.6.c.0.5.a.2.d.3.3.5.c.a.0.f.0.d.9.3.7.5.8.0.0.0.0.0.0.0.0.!.0.0.0.0.3.2.6.b.c.5.8.6.2.9.3.7.7.6.d.2.d.c.4.3.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER5763.tmp.dmp

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Mini DuMP crash report, 15 streams, Sat May 14 22:11:57 2022, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):377183
                                                  Entropy (8bit):3.2816214263554357
                                                  Encrypted:false
                                                  SSDEEP:3072:entWB9gIOgF5D0IJgUoKAoJi7ouHhgDjd+psEUj/0OiUCgUf87:F9RpDD0IJgUoP0i7oF8p4rOTj
                                                  MD5:810B7BB99711EAC53423A73B635AE038
                                                  SHA1:EE408BE019BCE8161155A8DE64867C9D110519DF
                                                  SHA-256:6B18C4099787BCBD8C3A740881E8E616F3406891753A85A50EFAE321DB7A0D37
                                                  SHA-512:0D9D66E032F69B9AAA78D2B978FB29E3B98291A6A46BA2628D4213DBB13B8AE8488FAEB2C0C417E64BE91DC18F6290118CFB0B95EB7AD1029D672B07BAFC8281
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:MDMP....... .......-).b........................."..........$....-......4,...w..........`.......8...........T............b...^...........-.........../...................................................................U...........B......L0......GenuineIntelW...........T............).b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER65CB.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):6398
                                                  Entropy (8bit):3.723556925579948
                                                  Encrypted:false
                                                  SSDEEP:192:Rrl7r3GLNie16gXYZISYCprNx89b8BsfVUm:RrlsNi06wYiSs86fD
                                                  MD5:4B06B8E547BE4A7BA93C7560AED876BD
                                                  SHA1:2CB5357AACCD5C107EDDEB480D04D068E57BE29B
                                                  SHA-256:AAE75E1C3891ADF39C0BA185A67F28F4D025A0750AD4C6A6558047B1C01E7356
                                                  SHA-512:0104D32A0C34BADF15E950972CF9DCBD54F3D1F1921B8BF59CAA9DC72D86BDA539365C9260BF5B72D712D6EAD7267DAA697FF4A17FF339B4413A44604C1AD531
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.8.<./.P.i.d.>.......

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6957.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4763
                                                  Entropy (8bit):4.515085921606482
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwSD8zsXJgtWI98aWgc8sqYj/8fm8M4JujJ2FX+q8v6jJTVJR2Vdd:uITf5HbgrsqYgJ5KSVJ8Vdd
                                                  MD5:EC49AF3B3D22BEE401805BB45BEDC105
                                                  SHA1:D1476F996FCF4169D618C35376984778F9152194
                                                  SHA-256:4DE10861507983F9196169D396FD7C286E51BB6D7499D35FF8850CA4F66A9184
                                                  SHA-512:C1680125896C8E2897FD0496C6E8E9872570608C7ECA5A01196D3BB3FA013175694294DA8561D0DF67BAAA70E0F8D2055A1B82DCF7A6BBF6C2F384F2C8C446B4
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1515322" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1391
                                                  Entropy (8bit):7.705940075877404
                                                  Encrypted:false
                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):192
                                                  Entropy (8bit):2.773803200765873
                                                  Encrypted:false
                                                  SSDEEP:3:kkFklKm0hfllXlE/zMc85ljNNX8RolJuRdyo1dlUKlGXJlDdt:kKTm0O18tNMa8Rdy+UKcXP
                                                  MD5:EC6A887DC9E0C968BE650D7E7154E88D
                                                  SHA1:88FFFA37DC6483F1A7A1C05E39506D3C0483F768
                                                  SHA-256:1BE383A47B94E160AC4C649B15B8D859BA967964212517B97D5609154F9338E0
                                                  SHA-512:26104611A869F6986AFBE4203EFD169C91BBE532740585FE248DDCAE58A34F0BA0DB55BBB6BC2A6729D3BF3404723A1F79D79E4CDD591DDB71ED1A13D01DB81F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:p...... ........9...g..(....................................................... ..........~...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL SHIPMENT NOTIFICATION 1146789443.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1308
                                                  Entropy (8bit):5.345811588615766
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                                  MD5:EA78C102145ED608EF0E407B978AF339
                                                  SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                                  SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                                  SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):22252
                                                  Entropy (8bit):5.59944796203455
                                                  Encrypted:false
                                                  SSDEEP:384:BtCDjC0KpW6Lr+09BBPcOUSB+AjultIQM7nvPg3hInEML+efmAV7tciyNZQvnI+m:dWC6YB/U45CltLo66PKCpg+0
                                                  MD5:6549CFF10ABBDB2F4D78869012AB8AC2
                                                  SHA1:64D876598518198CD9A19090216240B89E32515A
                                                  SHA-256:E99A909442A39C63DE46A2604C1094B780176A19008835FECDA16777DB8C7C82
                                                  SHA-512:71EF30940D9ECA6776C99AEA88DA4DB7AAE979EAC67DEF28ECEBD66B63447226DF8316D8A9F4009BF94E20553FD461916A882E11DB3B341528124CAE641E8E18
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:@...e...........s.......K.................-..........@..........H...............<@.^.L."My...:X..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                  C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):216064
                                                  Entropy (8bit):6.055091750914725
                                                  Encrypted:false
                                                  SSDEEP:6144:7xAlTehh9yUYm//FJZt5oUTeCU7bTQmT8Vtk700jcF7Zk+U:7xAFehh9/Ym//FJZvCVh
                                                  MD5:138E534107A536F319734BFD7A23C8A3
                                                  SHA1:326BC586293776D2DC438409DD5ED956FE672A6E
                                                  SHA-256:3FC1361417C696930DA7901314B51E7C7293C424550F6EA36DC15C90797125DB
                                                  SHA-512:8F500FB340E6DD7DAC9E8A792D467A0440466B806CD5C809484B76EF488C514085B32C8F490F6E81C5C4685B4EF987F6A78C6C2E3509DBDC56EEF18B33CC0FE8
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.kb.................B..........._... ........@.. ....................................@.................................._..S.................................................................................... ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................._......H.......4...t.............................................................(....*..(....*.s.........s.........s.........s.........*...0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0..,.........+......,........,........,.+.+.~....o....*.0............+......,........,........,.+.+...(....(....*...0..(.........+......,........,........,.+.+..(....*.0..,.......

                                                  C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):115712
                                                  Entropy (8bit):6.373768010602997
                                                  Encrypted:false
                                                  SSDEEP:1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
                                                  MD5:68FE2DCF9C615A4A55AAA75A11E1F8F0
                                                  SHA1:F7335F70A3F9DBBFFC5D824AD6A32A52C26D3EB4
                                                  SHA-256:D3DFF8B1B2DC8DDB162CA47244BAA8C086F20E81824E95CDF29B3FAE56536DE7
                                                  SHA-512:0D3B0D533FBF70CBAC0C4E20B807DBAFF54235D4CB1AFA2D979D187FA9AB03FA2068914C5BD429D16C7237F0F61D0D37F31BB8217484588D873677634AAF2FC0
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: ditekSHen
                                                  • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: unknown
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z]..><..><..><...3.?<..7D..?<...3.<<......?<......=<..;0..?<..7D..:<..7D..!<..><...<...U..N<...Um.?<...U..?<..Rich><..........PE..L.....I_.................0...........\.......@....@..........................@............@..................................w..........p,................... .......u...............................................@..p............................text............0.................. ..`.rdata...I...@...J...4..............@..@.data....P...........~..............@....rsrc...p,..........................@..@.reloc....... ......................@..B.bss.........0......................@..@................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ald43iwi.q5u.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqdexkj3.urd.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\tmp8559.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1604
                                                  Entropy (8bit):5.1414291730712
                                                  Encrypted:false
                                                  SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjLxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTxv
                                                  MD5:09BA8A7D1E6F45820021C4A8E8FB6886
                                                  SHA1:81B223E59E66AFE9B4AB1DDD1BE147149FB0C107
                                                  SHA-256:36A91485D9DB4F561C78AD994E38E70E1273B28599B112602E22BF8078D3ABE3
                                                  SHA-512:02367F1C0BEB6D53CD27FF5B972ACDBCAF721D80D6FD34C73CD81304D70082E6761A7573027AC62D5FB0FF462E5F98902D860594F541C1567DDBB10809A26DEE
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                  C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1004032
                                                  Entropy (8bit):7.761593863349046
                                                  Encrypted:false
                                                  SSDEEP:12288:u5kOON//aPfRFsW2nRwR79FNLvDYk7mDW7WW6/nKGQ6Ak5S7hoWiLQeR+NmWE6:ERc/CPfRFwSRpPv8yCV/n5slZgQ1
                                                  MD5:F883D433FAB3B7AE0C25625E75A03B38
                                                  SHA1:D29DDEF177A748397ABEF51F7EC2188FC06506D5
                                                  SHA-256:0606D4BC2C27F402BE8E98BA28D3AF0D35C1C85D3BE43690FABE971A687AF9ED
                                                  SHA-512:B84B326B03C1EEC7964D607E04F45B08A0B5083041CD3E8EEC2F525F819054EC713CE3186442A5816FFFB043BFD625F542AC7C14C788DB768D51E342CDEB45E7
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 17%
                                                  Reputation:unknown
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.b..............0..H...........g... ........@.. ....................................@..................................f..O.................................................................................... ............... ..H............text....G... ...H.................. ..`.rsrc................J..............@..@.reloc...............P..............@..B.................f......H...........|G...............e..........................................&.(......*F.(........(.....**..(......*....(......*....(......*..{....*"..}....*&.(......*F.(........(.....**..(......*....(......*....(......*..0...........(.....o......o.....+..*.0...........(.....o......o.....+..*.0...........(.....o.......o.....+..*....0...........(.....o.......o.....+..*....0.. ........(.....o.......o......o$....+..*.0.. ........(.....o.......o......o$....+..*.(....o....*.(....o....*

                                                  C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  C:\Users\user\Documents\20220514\PowerShell_transcript.760639.TC5_eELU.20220514151113.txt

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):5811
                                                  Entropy (8bit):5.4155000005474045
                                                  Encrypted:false
                                                  SSDEEP:96:BZ3/7NeqDo1ZqZQ/7NeqDo1ZC1PdjZW/7NeqDo1ZMMNNSZx:X
                                                  MD5:5E9BD99644D97168FB961F5E13052E66
                                                  SHA1:223E62AA2312A7D2D2B1CE383AB7CD057B309A5A
                                                  SHA-256:8D355230C7F912F06CC42A78B4C693F49C77BE79880DD9781D1660B2CFA9ED84
                                                  SHA-512:72E5913D64673E2E8307B3CE2D78B151CF78FAF6432A1437E2ADD57081EE6BE333D31539DDDC4AEC974FB9CB1C67CF2623CA810DB65622578643B460DEF23C73
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220514151114..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe..Process ID: 6492..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220514151114..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe..**********************..Windows PowerShell transcript start..Start time: 20220514151537..Username: computer\user..RunAs User: DESKTOP-7

                                                  C:\Windows\System32\drivers\etc\hosts

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):835
                                                  Entropy (8bit):4.694294591169137
                                                  Encrypted:false
                                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                  MD5:6EB47C1CF858E25486E42440074917F2
                                                  SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                  SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                  SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.761593863349046
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  File size:1004032
                                                  MD5:f883d433fab3b7ae0c25625e75a03b38
                                                  SHA1:d29ddef177a748397abef51f7ec2188fc06506d5
                                                  SHA256:0606d4bc2c27f402be8e98ba28d3af0d35c1c85d3be43690fabe971a687af9ed
                                                  SHA512:b84b326b03c1eec7964d607e04f45b08a0b5083041cd3e8eec2f525f819054ec713ce3186442a5816fffb043bfd625f542ac7c14c788db768d51e342cdeb45e7
                                                  SSDEEP:12288:u5kOON//aPfRFsW2nRwR79FNLvDYk7mDW7WW6/nKGQ6Ak5S7hoWiLQeR+NmWE6:ERc/CPfRFwSRpPv8yCV/n5slZgQ1
                                                  TLSH:8E25F05133FC5F05E23AA3F59A7051548BB1752B28A6E34E0CC170DB1EA1F41AB63BA7
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.b..............0..H...........g... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4f670e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x627F6E0A [Sat May 14 08:53:30 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf66bc0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x5ac.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xf47140xf4800False0.857648541347SysEx File -7.76755151978IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xf80000x5ac0x600False0.421223958333data4.08533969296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xfa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0xf80900x31cdata
                                                  RT_MANIFEST0xf83bc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright 2016
                                                  Assembly Version1.0.0.0
                                                  InternalNamecDisplayClass.exe
                                                  FileVersion1.0.0.0
                                                  CompanyName
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameView
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionView
                                                  OriginalFilenamecDisplayClass.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 14, 2022 15:11:36.216257095 CEST497821198192.168.2.576.8.53.133
                                                  May 14, 2022 15:11:36.334731102 CEST11984978276.8.53.133192.168.2.5
                                                  May 14, 2022 15:11:36.334881067 CEST497821198192.168.2.576.8.53.133
                                                  May 14, 2022 15:11:45.302377939 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.329227924 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.331383944 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.389578104 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.390450954 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.417249918 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.417526007 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.446552038 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.493635893 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.514338017 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.549797058 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.549858093 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.549890995 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.549953938 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.566401005 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:45.593547106 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:45.648060083 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.311439037 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.338073015 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.352559090 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.381445885 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.382287979 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.409337997 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.410290003 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.437402964 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.437830925 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.469383001 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.469748020 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.496298075 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.497950077 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.498269081 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.498805046 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.498903036 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:11:47.524457932 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.524576902 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.525204897 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.525228977 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.526380062 CEST5874978751.210.156.152192.168.2.5
                                                  May 14, 2022 15:11:47.732443094 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:12:08.781395912 CEST49787587192.168.2.551.210.156.152
                                                  May 14, 2022 15:12:38.473103046 CEST11984978276.8.53.133192.168.2.5
                                                  May 14, 2022 15:12:38.473249912 CEST497821198192.168.2.576.8.53.133
                                                  May 14, 2022 15:12:41.542115927 CEST498051198192.168.2.576.8.53.133
                                                  May 14, 2022 15:12:41.651038885 CEST11984980576.8.53.133192.168.2.5
                                                  May 14, 2022 15:12:41.651165962 CEST498051198192.168.2.576.8.53.133

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 14, 2022 15:11:45.160797119 CEST6096953192.168.2.58.8.8.8
                                                  May 14, 2022 15:11:45.193556070 CEST53609698.8.8.8192.168.2.5
                                                  May 14, 2022 15:11:45.259629965 CEST6292953192.168.2.58.8.8.8
                                                  May 14, 2022 15:11:45.278019905 CEST53629298.8.8.8192.168.2.5
                                                  May 14, 2022 15:11:46.224566936 CEST5298253192.168.2.58.8.8.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  May 14, 2022 15:11:45.160797119 CEST192.168.2.58.8.8.80xa1a2Standard query (0)mail.exportersglobe.comA (IP address)IN (0x0001)
                                                  May 14, 2022 15:11:45.259629965 CEST192.168.2.58.8.8.80x31b1Standard query (0)mail.exportersglobe.comA (IP address)IN (0x0001)
                                                  May 14, 2022 15:11:46.224566936 CEST192.168.2.58.8.8.80x13d5Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  May 14, 2022 15:11:45.193556070 CEST8.8.8.8192.168.2.50xa1a2No error (0)mail.exportersglobe.comexportersglobe.comCNAME (Canonical name)IN (0x0001)
                                                  May 14, 2022 15:11:45.193556070 CEST8.8.8.8192.168.2.50xa1a2No error (0)exportersglobe.com51.210.156.152A (IP address)IN (0x0001)
                                                  May 14, 2022 15:11:45.278019905 CEST8.8.8.8192.168.2.50x31b1No error (0)mail.exportersglobe.comexportersglobe.comCNAME (Canonical name)IN (0x0001)
                                                  May 14, 2022 15:11:45.278019905 CEST8.8.8.8192.168.2.50x31b1No error (0)exportersglobe.com51.210.156.152A (IP address)IN (0x0001)
                                                  May 14, 2022 15:11:46.247303963 CEST8.8.8.8192.168.2.50x13d5No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  May 14, 2022 15:11:45.389578104 CEST5874978751.210.156.152192.168.2.5220-server53.dnsserverboot.com ESMTP Exim 4.89_1 #1 Sat, 14 May 2022 18:41:45 +0530
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  May 14, 2022 15:11:45.390450954 CEST49787587192.168.2.551.210.156.152EHLO 760639
                                                  May 14, 2022 15:11:45.417249918 CEST5874978751.210.156.152192.168.2.5250-server53.dnsserverboot.com Hello 760639 [102.129.143.55]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-STARTTLS
                                                  250 HELP
                                                  May 14, 2022 15:11:45.417526007 CEST49787587192.168.2.551.210.156.152STARTTLS
                                                  May 14, 2022 15:11:45.446552038 CEST5874978751.210.156.152192.168.2.5220 TLS go ahead

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:15:10:48
                                                  Start date:14/05/2022
                                                  Path:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe"
                                                  Imagebase:0x6d0000
                                                  File size:1004032 bytes
                                                  MD5 hash:F883D433FAB3B7AE0C25625E75A03B38
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.514559229.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:6
                                                  Start time:15:11:11
                                                  Start date:14/05/2022
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZWLqFmhrZsaGO.exe
                                                  Imagebase:0x980000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Target ID:7
                                                  Start time:15:11:11
                                                  Start date:14/05/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff77f440000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:8
                                                  Start time:15:11:12
                                                  Start date:14/05/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZWLqFmhrZsaGO" /XML "C:\Users\user\AppData\Local\Temp\tmp8559.tmp
                                                  Imagebase:0x250000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:15:11:13
                                                  Start date:14/05/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff77f440000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:10
                                                  Start time:15:11:17
                                                  Start date:14/05/2022
                                                  Path:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\DHL SHIPMENT NOTIFICATION 1146789443.exe
                                                  Imagebase:0xdd0000
                                                  File size:1004032 bytes
                                                  MD5 hash:F883D433FAB3B7AE0C25625E75A03B38
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.528443565.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:14
                                                  Start time:15:11:30
                                                  Start date:14/05/2022
                                                  Path:C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe"
                                                  Imagebase:0x10000
                                                  File size:216064 bytes
                                                  MD5 hash:138E534107A536F319734BFD7A23C8A3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.520367739.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.596033248.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.520747603.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.558169558.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.521115962.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.562363837.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.521511127.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.559362643.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000000.563804082.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.597270868.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGIN.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:15
                                                  Start time:15:11:31
                                                  Start date:14/05/2022
                                                  Path:C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe"
                                                  Imagebase:0xb40000
                                                  File size:115712 bytes
                                                  MD5 hash:68FE2DCF9C615A4A55AAA75A11E1F8F0
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000000.526380150.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000003.530860371.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000002.702967431.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000003.530903258.00000000008F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000000.524159162.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000000.525983786.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000000.525886935.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000003.531005244.00000000008F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000002.702803997.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000000.524051829.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000003.530769732.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000000.525440996.0000000000B54000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000000.525559127.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000003.530973130.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000000.526460067.0000000000C8F000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000F.00000002.703160012.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Codoso_Gh0st_2, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Florian Roth
                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: ditekSHen
                                                  • Rule: AveMaria_WarZone, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\INVESTORORIGN.exe, Author: unknown
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low

                                                  General

                                                  Target ID:22
                                                  Start time:15:11:53
                                                  Start date:14/05/2022
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 2356
                                                  Imagebase:0x11b0000
                                                  File size:434592 bytes
                                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  Disassembly

                                                  No disassembly