Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_29028263 documento de recibo de la compra,pdf.exe

Overview

General Information

Sample Name:DHL_29028263 documento de recibo de la compra,pdf.exe
Analysis ID:626596
MD5:87a264aa9aec9ce66f4b092363dd5adc
SHA1:64a0954e622afb6d5e2a0256f179d14f112ec723
SHA256:eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
Tags:AveMariaRATDHLexeRAT
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Machine Learning detection for sample
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to inject threads in other processes
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
    • DHL_29028263 documento de recibo de la compra,pdf.exe (PID: 6600 cmdline: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
      • cmd.exe (PID: 6632 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2208 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4992 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 6716 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • window defender.exe (PID: 3668 cmdline: C:\Users\user\AppData\Roaming\window defender\window defender.exe MD5: 87A264AA9AEC9CE66F4B092363DD5ADC)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "37.0.14.197", "port": 1997}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0xdf0:$c1: Elevation:Administrator!new:
00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
    • 0x150e8:$a1: \Opera Software\Opera Stable\Login Data
    • 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data
    • 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
    00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        Click to see the 77 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x2318:$c1: Elevation:Administrator!new:
        3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0xd80:$c1: Elevation:Administrator!new:
          Click to see the 160 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "37.0.14.197", "port": 1997}
          Multi AV Scanner detection for submitted file
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeVirustotal: Detection: 33%Perma Link
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeReversingLabs: Detection: 51%
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeReversingLabs: Detection: 51%
          Machine Learning detection for sample
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeJoe Sandbox ML: detected
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpackAvira: Label: TR/Redcap.ghjpt
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040CF58 LocalAlloc,BCryptDecrypt,LocalFree,

          Exploits

          barindex
          Yara detected UACMe UAC Bypass tool
          Source: Yara matchFile source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 7092, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 6600, type: MEMORYSTR
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
          Source: Binary string: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040FF27 FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 37.0.14.197
          Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
          Source: global trafficTCP traffic: 192.168.2.7:49755 -> 37.0.14.197:1997
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004027D3 URLDownloadToFileW,ShellExecuteW,
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.197
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040D0A3 recv,
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.443037764.00000000013FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: DHL_29028263 documento de recibo de la compra,pdf.exe
          Executable has a suspicious name (potential lure to open the executable)
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic file information: Suspicious name
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.3218090.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d02b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.3.DHL_29028263 documento de recibo de la compra,pdf.exe.12d1848.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_01370448
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_0137D15C
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_01370438
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00411BF8
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05155760
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_051593CC
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05155750
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0515AE2C
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0515AE90
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0515AEA0
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05150006
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05150040
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05205913
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05200040
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_052157E0
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05200007
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05215766
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_052157D0
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: String function: 004035E5 appears 40 times
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: String function: 00410969 appears 47 times
          Source: C:\Windows\SysWOW64\cmd.exeProcess Stats: CPU usage > 98%
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: window defender.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeVirustotal: Detection: 33%
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeReversingLabs: Detection: 51%
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile read: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeJump to behavior
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe"
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\window defender\window defender.exe C:\Users\user\AppData\Roaming\window defender\window defender.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: C:\Users\user\AppData\Roaming\window defenderJump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@15/3@0/1
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0041290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4468:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr
          Source: Binary string: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr source: DHL_29028263 documento de recibo de la compra,pdf.exe, window defender.exe.10.dr

          Data Obfuscation

          barindex
          Binary or sample is protected by dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000000.351923499.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000000.351923499.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.441844535.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.441844535.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.414174812.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.414174812.00000000002E2000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.631371888.0000000003293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.631371888.0000000003293000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: window defender.exeString found in binary or memory: dotNetProtector
          Source: window defender.exe, 00000010.00000000.562468843.0000000000E92000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: dotNetProtector
          Source: window defender.exe, 00000010.00000000.562468843.0000000000E92000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: window defender.exe, 00000010.00000002.622503636.0000000000E92000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: dotNetProtector
          Source: window defender.exe, 00000010.00000002.622503636.0000000000E92000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: dotNetProtector
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: window defender.exe.10.drString found in binary or memory: dotNetProtector
          Source: window defender.exe.10.drString found in binary or memory: ]"oBytesReversedLoGetDynamicILInfoEhCatchEndAddrFieldInfoRuntimeMethodInfoLocalSymInfostartupInfoMemberInfoParameterInfoProcessStartInfoDirectoryInfoNearNegativeZeroSleepsdgpsfgpSetloopinextpFilterApplyPrefixLookupSystem.Linqset_ShowInTaskbarInternalGetNextCharValueMemberset_NumberMagicNumberBuildNumberMD5CryptoServiceProviderTripleDESCryptoServiceProviderMethodBuilderModuleBuilderTypeNameBuilderTypeBuilderAssemblyBuilderSpecialFolderBufferlpBfdsdhsdsdsfufferResourceManagerDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerRemoveEventHandlerStrongNameSignerGregorianCalendarHelperICustomAttributeWriterHelperSeqPointsHelperTypeSpecUserget_IsPointerBitConverterSerializationFormatterSet_IsSetterITokenResolverGetTokenForFloorset_RedirectStandardError.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrewr
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_002EA91C push edi; retf
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_002E5167 push ecx; retf
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 1_2_002E5B7B pushad ; ret
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_002EA91C push edi; retf
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_002E5167 push ecx; retf
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_002E5B7B pushad ; ret
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00401190 push eax; ret
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00401190 push eax; ret
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004144B1 push ebp; retf
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00414550 push ebp; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_00E95167 push ecx; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_00E95B7B pushad ; ret
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_00E9A91C push edi; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0520552B pushad ; iretd
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0520A907 push ebx; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0520AF9B push 00000006h; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0520A88C push ebx; retf
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_0520A6CB push cs; iretd
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_05210E7E pushad ; ret
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeCode function: 16_2_052154EE pushad ; ret
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040FA42 LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040D418 NetUserAdd,NetLocalGroupAddMembers,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile created: \dhl_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\window defender\window defender.exeJump to dropped file
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004027D3 URLDownloadToFileW,ShellExecuteW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

          Hooking and other Techniques for Hiding and Protection

          barindex
          Contains functionality to hide user accounts
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 2972Thread sleep count: 48 > 30
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 2972Thread sleep time: -48000s >= -30000s
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6240Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6616Thread sleep count: 60 > 30
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe TID: 6616Thread sleep time: -65000s >= -30000s
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040FF27 FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeAPI call chain: ExitProcess graph end node
          Source: DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.623073837.00000000012A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040FA42 LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00401085 GetProcessHeap,RtlAllocateHeap,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0041094E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00419172 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00410619 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00410620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 8E0000
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 940000
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 8E0000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 940000 protect: page read and write
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 8E010E
          Contains functionality to inject threads in other processes
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_00411FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeQueries volume information: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeQueries volume information: C:\Users\user\AppData\Roaming\window defender\window defender.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Roaming\window defender\window defender.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040F93F cpuid
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: 3_2_0040882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Increases the number of concurrent connection per server for Internet Explorer
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Contains functionality to steal e-mail passwords
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: POP3 Password
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: SMTP Password
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: IMAP Password
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: \Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exeCode function: \Chromium\User Data\Default\Login Data
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 7092, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: DHL_29028263 documento de recibo de la compra,pdf.exe PID: 6600, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.41435e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DHL_29028263 documento de recibo de la compra,pdf.exe.412b170.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          Create Account          		1
          Access Token Manipulation          		1
          Disable or Modify Tools          		2
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium21
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Endpoint Denial of Service
          Default Accounts1
          Scheduled Task/Job          		1
          Windows Service          		1
          Windows Service          		1
          Deobfuscate/Decode Files or Information          		31
          Input Capture          		1
          System Service Discovery          		Remote Desktop Protocol31
          Input Capture          		Exfiltration Over Bluetooth2
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts2
          Service Execution          		1
          Scheduled Task/Job          		421
          Process Injection          		2
          Obfuscated Files or Information          		1
          Credentials In Files          		2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)1
          Scheduled Task/Job          		1
          Software Packing          		NTDS23
          System Information Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer1
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
          Masquerading          		LSA Secrets121
          Security Software Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common31
          Virtualization/Sandbox Evasion          		Cached Domain Credentials31
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync1
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job421
          Process Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          Hidden Files and Directories          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
          Hidden Users          		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626596 Sample: DHL_29028263 documento de r... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 13 other signatures 2->46 8 DHL_29028263 documento de recibo de la compra,pdf.exe 4 2->8         started        11 window defender.exe 2 2->11         started        process3 file4 36 DHL_29028263 docum... compra,pdf.exe.log, ASCII 8->36 dropped 13 DHL_29028263 documento de recibo de la compra,pdf.exe 3 2 8->13         started        17 cmd.exe 3 8->17         started        20 cmd.exe 1 8->20         started        process5 dnsIp6 38 37.0.14.197, 1997, 49755, 49759 WKD-ASIE Netherlands 13->38 48 Writes to foreign memory regions 13->48 50 Allocates memory in foreign processes 13->50 52 Increases the number of concurrent connection per server for Internet Explorer 13->52 56 2 other signatures 13->56 22 cmd.exe 1 13->22         started        32 C:\Users\user\AppData\...\window defender.exe, PE32 17->32 dropped 34 C:\...\window defender.exe:Zone.Identifier, ASCII 17->34 dropped 24 conhost.exe 17->24         started        54 Uses schtasks.exe or at.exe to add and modify task schedules 20->54 26 conhost.exe 20->26         started        28 schtasks.exe 1 20->28         started        file7 signatures8 process9 process10 30 conhost.exe 22->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DHL_29028263 documento de recibo de la compra,pdf.exe33%VirustotalBrowse
          DHL_29028263 documento de recibo de la compra,pdf.exe51%ReversingLabsByteCode-MSIL.Trojan.FormBook
          DHL_29028263 documento de recibo de la compra,pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\window defender\window defender.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\window defender\window defender.exe51%ReversingLabsByteCode-MSIL.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.7.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.13.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.5.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.16.unpack100%AviraTR/Redcap.ghjptDownload File
          3.2.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.1.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.19.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.11.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.22.unpack100%AviraTR/Redcap.ghjptDownload File
          3.0.DHL_29028263 documento de recibo de la compra,pdf.exe.400000.9.unpack100%AviraTR/Redcap.ghjptDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          37.0.14.1970%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          37.0.14.197true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://github.com/syohex/java-simple-mine-sweeperC:DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, DHL_29028263 documento de recibo de la compra,pdf.exe, 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://github.com/syohex/java-simple-mine-sweeperDHL_29028263 documento de recibo de la compra,pdf.exefalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              37.0.14.197
              		unknownNetherlands
              		198301WKD-ASIEtrue

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:626596
              Start date and time: 14/05/202215:11:112022-05-14 15:11:11 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 53s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:DHL_29028263 documento de recibo de la compra,pdf.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.phis.troj.spyw.expl.evad.winEXE@15/3@0/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 93% (good quality ratio 92.1%)
              • Quality average: 89.1%
              • Quality standard deviation: 18.6%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, fp-vp.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, b-ring.msedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:13:00Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\window defender\window defender.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_29028263 documento de recibo de la compra,pdf.exe.log

              Download File
              Process:C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1119
              Entropy (8bit):5.356708753875314
              Encrypted:false
              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
              MD5:3197B1D4714B56F2A6AC9E83761739AE
              SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
              SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
              SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
              Malicious:true
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

              C:\Users\user\AppData\Roaming\window defender\window defender.exe

              Download File
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):411136
              Entropy (8bit):6.317346244576242
              Encrypted:false
              SSDEEP:6144:fTMhHqjnw6E7SHrJxLY19rS/heoPYtO2LXQOuh23Ta7UEbS2RuLmDtzJ:rsH6E7GPw01YUwsf7UwuLmDtzJ
              MD5:87A264AA9AEC9CE66F4B092363DD5ADC
              SHA1:64A0954E622AFB6D5E2A0256F179D14F112EC723
              SHA-256:EAB5B352E41DE89BE099054E396F61A942401AB1518186496BC11BE1C857242F
              SHA-512:C427A4F1822EB62B75AA346FA891A69F6A712FABAF7C126BC51D49729226EE92A0EB8DAAB649CAAE96E77EC95F415771B2EDF60CA4FDB3A6F56C65F82C33695C
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 51%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.~b................................. ........@.. ...............................$....@.....................................O.......B............................................................................ ............... ..H............text........ ...................... ..`.rsrc...B...........................@..@.reloc...............D..............@..B........................H.......p...,.......9....9................................................(....*..,.~&...(....&~'...rMK.p(....~'...r]K.p(....*..-.*(....&*2~.....(....*..(....*.*..{....*..{....*:~.......(....*..{....*..{....*:~.......(....*..{....*6~......(....*..{....*..{....*..{....*..(.......#.%.L...A#...V...A(w...X(r...Zeff. .;.. ..6`aiZ}....*..{....*..{....*.~....(....*..{....*B.(......ee}....*..{....*.~....(....*..{....*..{....*..{....*.~,...(....*..{....*....0...............#.......@#

              C:\Users\user\AppData\Roaming\window defender\window defender.exe:Zone.Identifier

              Download File
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Preview:[ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):6.317346244576242
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Win16/32 Executable Delphi generic (2074/23) 0.01%
              File name:DHL_29028263 documento de recibo de la compra,pdf.exe
              File size:411136
              MD5:87a264aa9aec9ce66f4b092363dd5adc
              SHA1:64a0954e622afb6d5e2a0256f179d14f112ec723
              SHA256:eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
              SHA512:c427a4f1822eb62b75aa346fa891a69f6a712fabaf7c126bc51d49729226ee92a0eb8daab649caae96e77ec95f415771b2edf60ca4fdb3a6f56c65f82c33695c
              SSDEEP:6144:fTMhHqjnw6E7SHrJxLY19rS/heoPYtO2LXQOuh23Ta7UEbS2RuLmDtzJ:rsH6E7GPw01YUwsf7UwuLmDtzJ
              TLSH:DB94EB9C7B410E72ED2D913845130A24BB620EB36A44998557CB3DC987FEAFD1F05E8B
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.~b................................. ........@.. ...............................$....@................................

              File Icon

              Icon Hash:d9b7c5d1c5c9c1c3

              Static PE Info

              General

              Entrypoint:0x45c4ee
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Time Stamp:0x627E2E4D [Fri May 13 10:09:17 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:v4.0.30319
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x5c49c0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x9b42.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x5a4f40x5a600False0.519050397649data6.258266814IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rsrc0x5e0000x9b420x9c00False0.51519931891data6.01042834164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x680000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              AAKMS0x5f9a40xdASCII text, with no line terminatorsEnglishUnited States
              ABDAA0x5f9b40xdASCII text, with no line terminatorsEnglishUnited States
              AHDLM0x5f9c40xdASCII text, with no line terminatorsEnglishUnited States
              AKOMH0x5f9d40xdASCII text, with no line terminatorsEnglishUnited States
              AMMMI0x5f9e40xdASCII text, with no line terminatorsEnglishUnited States
              ANEMF0x5f9f40xdASCII text, with no line terminatorsEnglishUnited States
              ANKOM0x5fa040xdASCII text, with no line terminatorsEnglishUnited States
              ARIIL0x5fa140xdASCII text, with no line terminatorsEnglishUnited States
              BKAMK0x5fa240xdASCII text, with no line terminatorsEnglishUnited States
              BKDCA0x5fa340xdASCII text, with no line terminatorsEnglishUnited States
              BNCDG0x5fa440xdASCII text, with no line terminatorsEnglishUnited States
              CMDAB0x5fa540xdASCII text, with no line terminatorsEnglishUnited States
              CMRRI0x5fa640xdASCII text, with no line terminatorsEnglishUnited States
              CRKLI0x5fa740xdASCII text, with no line terminatorsEnglishUnited States
              DCANJ0x5fa840xdASCII text, with no line terminatorsEnglishUnited States
              DEBAM0x5fa940xdASCII text, with no line terminatorsEnglishUnited States
              DIMDA0x5faa40xdASCII text, with no line terminatorsEnglishUnited States
              DJFFF0x5fab40xdASCII text, with no line terminatorsEnglishUnited States
              DMFMH0x5fac40xdASCII text, with no line terminatorsEnglishUnited States
              DOPDK0x5fad40xdASCII text, with no line terminatorsEnglishUnited States
              EFMDR0x5fae40xdASCII text, with no line terminatorsEnglishUnited States
              ENBPG0x5faf40xdASCII text, with no line terminatorsEnglishUnited States
              FDENR0x5fb040xdASCII text, with no line terminatorsEnglishUnited States
              FDKIK0x5fb140xdASCII text, with no line terminatorsEnglishUnited States
              FHDFS0x5fb240xdASCII text, with no line terminatorsEnglishUnited States
              FNBFO0x5fb340xdASCII text, with no line terminatorsEnglishUnited States
              FOJMK0x5fb440xdASCII text, with no line terminatorsEnglishUnited States
              FRADI0x5fb540xdASCII text, with no line terminatorsEnglishUnited States
              GAIPJ0x5fb640xdASCII text, with no line terminatorsEnglishUnited States
              GFIPH0x5fb740xdASCII text, with no line terminatorsEnglishUnited States
              GMFMI0x5fb840xdASCII text, with no line terminatorsEnglishUnited States
              GPIFK0x5fb940xdASCII text, with no line terminatorsEnglishUnited States
              HKDBJ0x5fba40xdASCII text, with no line terminatorsEnglishUnited States
              HMMEG0x5fbb40xdASCII text, with no line terminatorsEnglishUnited States
              HPDEG0x5fbc40xdASCII text, with no line terminatorsEnglishUnited States
              HRHBL0x5fbd40xdASCII text, with no line terminatorsEnglishUnited States
              ICIDF0x5fbe40xdASCII text, with no line terminatorsEnglishUnited States
              IFDKF0x5fbf40xdASCII text, with no line terminatorsEnglishUnited States
              IFFIF0x5fc040xdASCII text, with no line terminatorsEnglishUnited States
              IGKNK0x5fc140xdASCII text, with no line terminatorsEnglishUnited States
              IHIMM0x5fc240xdASCII text, with no line terminatorsEnglishUnited States
              IKRAM0x5fc340xdASCII text, with no line terminatorsEnglishUnited States
              IMDOO0x5fc440xdASCII text, with no line terminatorsEnglishUnited States
              IMKJA0x5fc540xdASCII text, with no line terminatorsEnglishUnited States
              JAALL0x5fc640xdASCII text, with no line terminatorsEnglishUnited States
              JFNMK0x5fc740xdASCII text, with no line terminatorsEnglishUnited States
              JGIRF0x5fc840xdASCII text, with no line terminatorsEnglishUnited States
              KAEES0x5fc940xdASCII text, with no line terminatorsEnglishUnited States
              KAMOL0x5fca40xdASCII text, with no line terminatorsEnglishUnited States
              KDNOK0x5fcb40xdASCII text, with no line terminatorsEnglishUnited States
              LOALC0x5fcc40xdASCII text, with no line terminatorsEnglishUnited States
              LOJLG0x5fcd40xdASCII text, with no line terminatorsEnglishUnited States
              LRMBH0x5fce40xdASCII text, with no line terminatorsEnglishUnited States
              MFCMI0x5fcf40xdASCII text, with no line terminatorsEnglishUnited States
              MGOSL0x5fd040xdASCII text, with no line terminatorsEnglishUnited States
              MJPDD0x5fd140xdASCII text, with no line terminatorsEnglishUnited States
              MODGK0x5fd240xdASCII text, with no line terminatorsEnglishUnited States
              MPIDD0x5fd340xdASCII text, with no line terminatorsEnglishUnited States
              NAMDL0x5fd440xdASCII text, with no line terminatorsEnglishUnited States
              NKHOD0x5fd540xdASCII text, with no line terminatorsEnglishUnited States
              OFCHM0x5fd640xdASCII text, with no line terminatorsEnglishUnited States
              OKBKR0x5fd740xdASCII text, with no line terminatorsEnglishUnited States
              OMCKE0x5fd840xdASCII text, with no line terminatorsEnglishUnited States
              PAEML0x5fd940xdASCII text, with no line terminatorsEnglishUnited States
              PGHBJ0x5fda40xdASCII text, with no line terminatorsEnglishUnited States
              PKDKB0x5fdb40xdASCII text, with no line terminatorsEnglishUnited States
              PKMBI0x5fdc40xdASCII text, with no line terminatorsEnglishUnited States
              RGKLE0x5fdd40xdASCII text, with no line terminatorsEnglishUnited States
              SALMC0x5fde40xdASCII text, with no line terminatorsEnglishUnited States
              SARND0x5fdf40xdASCII text, with no line terminatorsEnglishUnited States
              SGBIH0x5fe040xdASCII text, with no line terminatorsEnglishUnited States
              SPRMM0x5fe140xdASCII text, with no line terminatorsEnglishUnited States
              RT_ICON0x5fe240x468GLS_BINARY_LSB_FIRST
              RT_ICON0x6028c0x988data
              RT_ICON0x60c140x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294769916, next used block 4294835709
              RT_ICON0x61cbc0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
              RT_ICON0x642640x34adPNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced
              RT_GROUP_ICON0x677140x4cdata
              RT_VERSION0x677600x1f8dataEnglishUnited States
              RT_MANIFEST0x679580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Version Infos

              DescriptionData
              LegalCopyright
              FileVersion, , ,
              CompanyName
              Comments
              ProductName
              ProductVersion, , ,
              FileDescription
              Translation0x0409 0x04b0

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 14, 2022 15:13:04.056092978 CEST497551997192.168.2.737.0.14.197
              May 14, 2022 15:13:04.082940102 CEST19974975537.0.14.197192.168.2.7
              May 14, 2022 15:13:04.670289993 CEST497551997192.168.2.737.0.14.197
              May 14, 2022 15:13:04.695924997 CEST19974975537.0.14.197192.168.2.7
              May 14, 2022 15:13:05.373480082 CEST497551997192.168.2.737.0.14.197
              May 14, 2022 15:13:05.399058104 CEST19974975537.0.14.197192.168.2.7
              May 14, 2022 15:13:10.406867981 CEST497591997192.168.2.737.0.14.197
              May 14, 2022 15:13:10.433067083 CEST19974975937.0.14.197192.168.2.7
              May 14, 2022 15:13:10.967681885 CEST497591997192.168.2.737.0.14.197
              May 14, 2022 15:13:10.993261099 CEST19974975937.0.14.197192.168.2.7
              May 14, 2022 15:13:11.670934916 CEST497591997192.168.2.737.0.14.197
              May 14, 2022 15:13:11.696858883 CEST19974975937.0.14.197192.168.2.7
              May 14, 2022 15:13:16.758996964 CEST497641997192.168.2.737.0.14.197
              May 14, 2022 15:13:16.784977913 CEST19974976437.0.14.197192.168.2.7
              May 14, 2022 15:13:17.374563932 CEST497641997192.168.2.737.0.14.197
              May 14, 2022 15:13:17.400126934 CEST19974976437.0.14.197192.168.2.7
              May 14, 2022 15:13:18.062067032 CEST497641997192.168.2.737.0.14.197
              May 14, 2022 15:13:18.087609053 CEST19974976437.0.14.197192.168.2.7
              May 14, 2022 15:13:23.221126080 CEST497671997192.168.2.737.0.14.197
              May 14, 2022 15:13:23.246988058 CEST19974976737.0.14.197192.168.2.7
              May 14, 2022 15:13:23.765683889 CEST497671997192.168.2.737.0.14.197
              May 14, 2022 15:13:23.791879892 CEST19974976737.0.14.197192.168.2.7
              May 14, 2022 15:13:24.468888044 CEST497671997192.168.2.737.0.14.197
              May 14, 2022 15:13:24.494963884 CEST19974976737.0.14.197192.168.2.7
              May 14, 2022 15:13:29.503086090 CEST497721997192.168.2.737.0.14.197
              May 14, 2022 15:13:29.529722929 CEST19974977237.0.14.197192.168.2.7
              May 14, 2022 15:13:30.156899929 CEST497721997192.168.2.737.0.14.197
              May 14, 2022 15:13:30.182760000 CEST19974977237.0.14.197192.168.2.7
              May 14, 2022 15:13:30.766243935 CEST497721997192.168.2.737.0.14.197
              May 14, 2022 15:13:30.792093992 CEST19974977237.0.14.197192.168.2.7
              May 14, 2022 15:13:35.801711082 CEST497751997192.168.2.737.0.14.197
              May 14, 2022 15:13:35.827675104 CEST19974977537.0.14.197192.168.2.7
              May 14, 2022 15:13:36.376149893 CEST497751997192.168.2.737.0.14.197
              May 14, 2022 15:13:36.401798010 CEST19974977537.0.14.197192.168.2.7
              May 14, 2022 15:13:37.063730955 CEST497751997192.168.2.737.0.14.197
              May 14, 2022 15:13:37.089828968 CEST19974977537.0.14.197192.168.2.7
              May 14, 2022 15:13:42.097322941 CEST497761997192.168.2.737.0.14.197
              May 14, 2022 15:13:42.123228073 CEST19974977637.0.14.197192.168.2.7
              May 14, 2022 15:13:42.673525095 CEST497761997192.168.2.737.0.14.197
              May 14, 2022 15:13:42.700122118 CEST19974977637.0.14.197192.168.2.7
              May 14, 2022 15:13:43.376730919 CEST497761997192.168.2.737.0.14.197
              May 14, 2022 15:13:43.403115034 CEST19974977637.0.14.197192.168.2.7
              May 14, 2022 15:13:48.413826942 CEST497791997192.168.2.737.0.14.197
              May 14, 2022 15:13:48.439472914 CEST19974977937.0.14.197192.168.2.7
              May 14, 2022 15:13:48.970900059 CEST497791997192.168.2.737.0.14.197
              May 14, 2022 15:13:48.996689081 CEST19974977937.0.14.197192.168.2.7
              May 14, 2022 15:13:49.658581972 CEST497791997192.168.2.737.0.14.197
              May 14, 2022 15:13:49.684767962 CEST19974977937.0.14.197192.168.2.7
              May 14, 2022 15:13:54.709506989 CEST497861997192.168.2.737.0.14.197
              May 14, 2022 15:13:54.735519886 CEST19974978637.0.14.197192.168.2.7
              May 14, 2022 15:13:55.268349886 CEST497861997192.168.2.737.0.14.197
              May 14, 2022 15:13:55.294430971 CEST19974978637.0.14.197192.168.2.7
              May 14, 2022 15:13:55.971503019 CEST497861997192.168.2.737.0.14.197
              May 14, 2022 15:13:55.997323990 CEST19974978637.0.14.197192.168.2.7
              May 14, 2022 15:14:01.001420021 CEST497881997192.168.2.737.0.14.197
              May 14, 2022 15:14:01.027152061 CEST19974978837.0.14.197192.168.2.7
              May 14, 2022 15:14:01.674514055 CEST497881997192.168.2.737.0.14.197
              May 14, 2022 15:14:01.700834036 CEST19974978837.0.14.197192.168.2.7
              May 14, 2022 15:14:02.274871111 CEST497881997192.168.2.737.0.14.197
              May 14, 2022 15:14:02.300708055 CEST19974978837.0.14.197192.168.2.7
              May 14, 2022 15:14:07.310281038 CEST497911997192.168.2.737.0.14.197
              May 14, 2022 15:14:07.336261988 CEST19974979137.0.14.197192.168.2.7
              May 14, 2022 15:14:07.875304937 CEST497911997192.168.2.737.0.14.197
              May 14, 2022 15:14:07.901042938 CEST19974979137.0.14.197192.168.2.7
              May 14, 2022 15:14:08.463462114 CEST497911997192.168.2.737.0.14.197
              May 14, 2022 15:14:08.489412069 CEST19974979137.0.14.197192.168.2.7
              May 14, 2022 15:14:14.789881945 CEST497951997192.168.2.737.0.14.197
              May 14, 2022 15:14:14.816304922 CEST19974979537.0.14.197192.168.2.7
              May 14, 2022 15:14:15.470901966 CEST497951997192.168.2.737.0.14.197
              May 14, 2022 15:14:15.496644020 CEST19974979537.0.14.197192.168.2.7
              May 14, 2022 15:14:16.158397913 CEST497951997192.168.2.737.0.14.197
              May 14, 2022 15:14:16.183933973 CEST19974979537.0.14.197192.168.2.7
              May 14, 2022 15:14:21.192248106 CEST497981997192.168.2.737.0.14.197
              May 14, 2022 15:14:21.218460083 CEST19974979837.0.14.197192.168.2.7
              May 14, 2022 15:14:21.863154888 CEST497981997192.168.2.737.0.14.197
              May 14, 2022 15:14:21.888931036 CEST19974979837.0.14.197192.168.2.7
              May 14, 2022 15:14:22.472081900 CEST497981997192.168.2.737.0.14.197
              May 14, 2022 15:14:22.497839928 CEST19974979837.0.14.197192.168.2.7
              May 14, 2022 15:14:27.504615068 CEST498011997192.168.2.737.0.14.197
              May 14, 2022 15:14:27.530740976 CEST19974980137.0.14.197192.168.2.7
              May 14, 2022 15:14:28.081301928 CEST498011997192.168.2.737.0.14.197
              May 14, 2022 15:14:28.107630968 CEST19974980137.0.14.197192.168.2.7
              May 14, 2022 15:14:28.768841028 CEST498011997192.168.2.737.0.14.197
              May 14, 2022 15:14:28.794717073 CEST19974980137.0.14.197192.168.2.7
              May 14, 2022 15:14:34.069231987 CEST498021997192.168.2.737.0.14.197
              May 14, 2022 15:14:34.095155001 CEST19974980237.0.14.197192.168.2.7
              May 14, 2022 15:14:34.675590992 CEST498021997192.168.2.737.0.14.197
              May 14, 2022 15:14:34.701366901 CEST19974980237.0.14.197192.168.2.7
              May 14, 2022 15:14:35.363176107 CEST498021997192.168.2.737.0.14.197
              May 14, 2022 15:14:35.388854980 CEST19974980237.0.14.197192.168.2.7

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:1
              Start time:15:12:22
              Start date:14/05/2022
              Path:C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe"
              Imagebase:0x2e0000
              File size:411136 bytes
              MD5 hash:87A264AA9AEC9CE66F4B092363DD5ADC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.447136668.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.447222285.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              General

              Target ID:3
              Start time:15:12:51
              Start date:14/05/2022
              Path:C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe
              Imagebase:0x2e0000
              File size:411136 bytes
              MD5 hash:87A264AA9AEC9CE66F4B092363DD5ADC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000000.417195755.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.416591236.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000000.416662895.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.417147497.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000003.431594632.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.426962811.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.431623764.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000002.622879575.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.431671478.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000003.426948480.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.431567861.00000000012F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000000.418334237.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.418265932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000002.622706566.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000000.417884328.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.415418870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.426786774.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.415889492.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000000.417779464.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.431652682.00000000012FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.424810982.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low

              General

              Target ID:6
              Start time:15:12:54
              Start date:14/05/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
              Imagebase:0xdd0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:7
              Start time:15:12:55
              Start date:14/05/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7bab80000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:8
              Start time:15:12:56
              Start date:14/05/2022
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\window defender\window defender.exe'" /f
              Imagebase:0x7ff7e8070000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:9
              Start time:15:13:00
              Start date:14/05/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\cmd.exe
              Imagebase:0xdd0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:10
              Start time:15:13:00
              Start date:14/05/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe" /C copy "C:\Users\user\Desktop\DHL_29028263 documento de recibo de la compra,pdf.exe" "C:\Users\user\AppData\Roaming\window defender\window defender.exe
              Imagebase:0xdd0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:12
              Start time:15:13:01
              Start date:14/05/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7bab80000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:13
              Start time:15:13:02
              Start date:14/05/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7bab80000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:16
              Start time:15:14:00
              Start date:14/05/2022
              Path:C:\Users\user\AppData\Roaming\window defender\window defender.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\window defender\window defender.exe
              Imagebase:0xe90000
              File size:411136 bytes
              MD5 hash:87A264AA9AEC9CE66F4B092363DD5ADC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 51%, ReversingLabs

              Disassembly

              No disassembly